Data Protection by Design and Default and Data Protection Impact Assessments

The General Data Protection Regulation requires the University to implement appropriate technical and organisational measures:

• which are designed to implement the data protection principles; and
• for ensuring that, by default, only the minimum quantity of personal data are processed for each purpose.

These measures are referred to as Data Protection by Design and Default, the Standard Operating Procedure explains it in more details. 

The GDPR also requires data protection impact assessments (DPIAs) to be carried out on processing activities which are likely to result in a high risk to the rights and freedoms of individuals. When applicable, a DPIA helps the University to identify and minimise the data protection risks involved with a project or initiative involving particularly sensitive data, intrusive processing or very high volumes of data. They also play a key role in implementing data protection by design and default. 

Here at the University, we have introduced an initial step when new projects or initiatives are undertaken called the Information Governance Risk Review (IGRR). The IGRR is completed and submitted to the Information Governance Office (IGO) by the business owner or Project Manager. It is designed to make the IGO aware of any risks to privacy and to determine whether a DPIA is required.

If you have any queries regarding privacy by design, the IGRR or data protection impact assessments please contact the Information Governance Office.