Accountability

Alongside the data protection principles listed above, the GDPR includes a requirement that data controllers can demonstrate compliance with those principles.

There is also a requirement to implement what the GDPR calls ‘data protection by design and by default’. This introduces an obligation to show that data protection has been treated as a fundamental principle in the design and operation of data processing activities and systems.

Data Protection Impact Assessments

An important tool in implementing and demonstrating data protection by design is a Data Protection Impact Assessment (DPIA). These are already encouraged by the ICO as a good way of meeting obligations under the DPA, although they are not currently a legal requirement.

Under the GDPR, DPIAs will be mandatory for new processing activities that are likely to result in a high risk to the rights and freedoms of individuals, particularly where new technologies are being used. The GDPR states that, although not limited to the following situations, this will particularly apply to:

• systematic and extensive processing carried out automatically, including profiling, that results in decisions being made that will have a legal or similarly significant effect on the data subject
• large-scale processing of special categories of data, or of personal data relating to criminal convictions and offences
• systematic, large-scale monitoring of a publicly accessible area (e.g. via CCTV)

Currently, the University’s policy is that a DPIA should be completed at the outset of any project, or change to an existing system or process, that will involve the collection or handling of personal data. The University’s DPIA template, along with further information about the process, is available here.

Also see the ICO’s webpage on accountability and governance, the Article 29 Data Protection Working Party’s guidance on Data Protection Impact Assessments under the GDPR and Articles 5(2), 25, 35 and 36 of the GDPR.