Privacy by design

GDPR has introduced a principle in law that any activity being considered involving personal data should be assessed to ensure that the intended data processing meets the requirements of the law. This is often called 'Privacy by Design' and is part of the requirement on organisations to be able to evidence strong accountability and good governance over the use of personal data.

The law also states that if the intended processing meets a 'high-risk' criteria, then a statutory risk assessment must be undertaken; this is the Data Protection Impact Assessment (DPIA)

At ARU we therefore have a process that reviews projects, initiatives, or new processing, assesses them for legal compliance, identifies those that require a full DPIA and retains evidence of these assessments.

What is Privacy by Design?

The GDPR Privacy by Design requirement means that an organisation should have effective processes in place to risk assess proposals that involve the use of personal data to ensure activities comply with the law. In practice this means embedding such assessments into our routine change processes such as when new IT software is developed or purchased, a new supplier handing our personal data is procured or we make significant changes to the way we deliver our services. Changes involving the use of personal data should therefore not be able to proceed without having first been assessed for privacy compliance.

The requirement falls within the principle of accountability which means that if the regulator (The ICO) wanted to exercise their rights to see evidence of our legal compliance they would expect us to be able to demonstrate our privacy by design process work by presenting examples of assessments.

Failure to be able provide assessments, especially in relation to systems or processes which are subject of a serious data breach, would likely put ARU at risk of regulatory action for simply failing to have done an assessment and in addition to any action taken over the breach itself.

It is important therefore that dpa@aru.ac.uk is contacted for an assessment to be conducted on any new process or system which involves the use of personal data.

Embedding data privacy features into the design of projects can have the following benefits:

  • Potential problems are identified at an early stage.
  • Addressing problems early will often be simpler and less costly.
  • Increased awareness of privacy and data protection across the organisation.
  • Organisations will be less likely to breach the GDPR.
  • Actions are less likely to be privacy intrusive and have a negative impact on individuals.

What is a DPIA?

Since the introduction of GDPR from 25 May 2018, under Article 35 there is now a statutory requirement to undertake Data Protection Impact Assessments (DPIA) where an organisation is proposing to process personal data in a way that could present a ‘high-risk’ to data subjects.

The three primary conditions identified in the GDPR as signifying 'high-risk' are:

  • A systematic and extensive evaluation of personal aspects relating to natural persons, which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.
  • Processing on a large scale of special categories of data.
  • Systematic monitoring of a publicly accessible area on a large scale

These are supplemented by further subsequent guidance by the European Data Protection Board.

ARU therefore makes an initial assessment of all proposed new (or changes to existing) data processing, and the review will determine whether or not a full DPIA is required.

If a DPIA is required, the law states that the Data Protection Officer must be consulted on the proposal and give approval before it can proceed.

In exceptional cases where the processing of personal data is radical, untested and not provided for within current legal guidance there may be a need to approach the ICO to ask for them to assist in making an assessment. In the unlikely event this is required, this is a referral to be made and managed by the Data Protection Officer.

The ARU Process

Most of our controlled processes (e.g. IT Project Management, Procurement) steer the relevant colleague (requestor) managing the initiative to make contact with the Information Compliance Team to begin the assessment process.

This will involve completion of the DPIA form; which can be initiated by the requestor and sent to dpa@aru.ac.uk but should be completed by the Information Compliance Team. Only the first tab of the form "Initial Assessment" should be completed at this stage.

This review will either result in:

  • confirmation that the proposal has insufficient detail or intends to introduce non-compliant activities and cannot be approved
  • approval; potentially with some recommendations or requests for further information to be provided at a later stage of a project's development, or
  • confirmation that a full DPIA will be required

If a full DPIA is required, the Information Compliance Team will make contact and work with the requestor to complete the additional tabs of the form and will communicate the outcome of the assessment.

Responsibility for ensuring that a specific proposal has been reviewed under this process lies with the individual responsible for the initiative/ project. Similarly they are responsible for acting on recommendations by the Data Protection Officer and ensuring any agreed risk mitigations are implemented.

The Data Protection Officer is responsible for delivery of the assessment process and for maintaining a record of assessments within ARU's Record of Processing Activity.