Updated GDPR Guidance from the Information Commissioner’s Office

28th February 2019

The General Data Protection Regulation (GDPR) sets out a number of requirements concerning personal data. Failure to comply with the regulations could lead to substantial fines.

The Information Commissioner’s Office (ICO) have recently updated their GDPR guidance, specifically in relation to Data Protection Impact Assessments (DPIAs). They have also expanded their guidance on contracts, and introduced guidance on the roles of controllers and processors.


What is a Data Protection Impact Assessment (DPIA)?


In accordance with the ICO’s guidance a DPIA must:

• describe the nature, scope, context and purposes of the processing;
• assess necessity, proportionality and compliance measures;
• identify and assess risks to individuals; and
• identify any additional measures to mitigate those risks.

A DPIA is useful for identifying and minimising the risks of a project. If your DPIA identifies a high risk and you cannot take measures to reduce that risk, you must consult the ICO. You cannot begin data processing until you have done so.

The GDPR and the ICO require you to carry out a DPIA in a number of situations. These include when you are:

• monitoring publicly accessible places;
• tracking the location and behaviour of individuals;
collecting or processing personal data;
• comparing personal data with data from other sources;
• profiling or engaging children for marketing purposes; or
• processing data that might endanger the individual’s physical health or safety in the event of a security breach.

The full details can be found in their guidance here.




Under GDPR, ‘data controllers‘ determine the purpose and means of processing personal data.

A controller may appoint a ‘processor’ to process the data on their behalf. Whenever a controller uses a processor, there must be a written contract (or other legal act) in place between them which sets out their respective responsibilities and liabilities. The ICO guidance sets out what should be included in that contract, in order to comply with GDPR, and the liabilities that the parties may face. The revised guidance can be found here.

The updated guidance also includes helpful checklists to help determine who the data controller is and who the data processor is. For instance, if you engage a catering company or IT supplier they are likely to be considered a processor. It is worth checking if your school has GDPR compliant contracts in place with these processors, and if not, schools should consider putting these in place as soon as possible.

If you would like any further advice, please contact Paul Watkins at [email protected]

Related Blogs

View All