1. 1.        Scope

 

All projects that involve high-risk processing of personal data, or any activities (both internal and external) that affect the processing of personal data and impact the privacy of data subjects are within the scope of this procedure and will be subject to a data protection impact assessment (DPIA).

  1. 2.        Responsibilities

2.1      The Data Protection Officer / GDPR Owner is responsible for performing necessary checks on personal data to establish the need for conducting a DPIA.

2.2      Head of Risk and Data Protection Officer / GDPR Owner are responsible for checking appropriate controls are implemented to mitigate any risks identified as part of the DPIA process and subsequent decision to proceed with the processing.

2.3      Risk Owners are responsible for implementing any privacy risk solutions identified.

2.4      For the purposes of this procedure, the processing of special categories of personal data is considered high-risk processing of personal data.

 

  1. 3.        Procedure

3.1      The Data Protection Officer / GDPR Owner / project manager / programme office identifies the need for a DPIA at the start of each project, assessing the project and type of personal data involved, or processing activity, against the screening questions set out in the DPIA tool 

3.2      Using the criteria below, following the likelihood and impact matrix, ICNARC defines the risks to rights and freedoms of data subjects as:

 

Likelihood

3

0

3

6

9

2

0

2

4

6

1

0

1

2

3

   

0

1

2

3

   

Impact

 

Risks to rights and freedoms of data subjects:

Risk Level

From

To

GDPR Assessment

High

6

9

Highest unacceptable risk

Medium

3

5

Unacceptable risk

Low

1

2

Acceptable risk

Zero

0

0

No risk










Data processing workbook (data flow)

4.1      ICNARC records key information about all personal data processed for each project in the DPIA Tool workbook. This includes a description of the processing and purposes; legitimate interests pursued by the controller; an assessment of the necessity and proportionality of the processing; an assessment of the risks to the rights and freedoms of data subjects (as per the matrix and risk level definitions in clause 3.2 above).

4.2      ICNARC captures the type of processing activity associated with the personal data being processed as part of the project in the DPIA Tool workbook. These are categorised as:

  • Collection
  • Transmission
  • Storage
  • Access
  • Deletion

4.3      ICNARC establishes the lawful basis under which the data is being processed and its appropriate retention period in line with Retention of Records Procedure.

4.4      ICNARC identifies the category of data processed, whether it is personal, special or that of a child’s, and the format of the data.

4.5      ICNARC identifies who has access to the data (individuals, teams, third parties or data processors) or who are involved in the processing of personal data, or processing activity, recording the geographic location where the processing takes place and/or if it is cross-border processing.

  1. 5.        Identify privacy risks

5.1      ICNARC assesses the privacy risks for each process activity as described in clause 3 above by:

5.1.1       Identifying and describing the privacy risk associated to that process activity;

5.1.2       Using the likelihood criteria (1 – low, 2 – medium and 3 - high), scoring the likelihood of the risk occurring;

5.1.3       Using the impact criteria (0 – zero impact, 1 – low, 2 – medium and 3 - high) of the risk should it occur; and

5.1.4       Producing a calculated risk, identifying the risk to the rights and freedoms of data subjects.

 

5.2      In assessing the privacy risks, ICNARC considers: risks to the rights and freedoms of natural persons resulting from the processing of personal data; risks to the business (including reputational damage); and its objectives and obligations (both regulatory and contractual).

5.3      ICNARC identifies solutions to privacy risks, assigns a risk treatment owner and sets a target date for completion.  See Risk Treatment Plan (DSP REC 01-1.4.5a).

5.4      ICNARC prioritises analysed risks for risk treatment based on the risk level criteria established in clause 3.2 above.

 

5.5      ICNARC risk owner, in consultation with Data Protection Officer, approves and signs off each DPIA for each data processing activity.

  1. 6.        Prior consultation (Article 36, GDPR)

6.1      Where the DPIA identifies that processing of personal data will result in high risk to the data subject, in the absence of risk mitigating measures and controls, ICNARC consults with the supervisory authority ICO, using the following method.

6.2      When ICNARC requests consultation from the supervisory authority, it provides:

6.2.1       Detail of the responsibilities of ICNARC‘s controller/processor/joint controller, and the data controller/processor/joint controller,involved in the processing;

6.2.2       Purpose of the intended processing;

6.2.3       Detail of any/all measures and controls in place/provided to protect the rights and freedoms of the data subject(s);

6.2.4       Contact details of the Data Protection Officer / GDPR Owner;

6.2.5       A copy of the data protection impact assessment; and

6.2.6       Any other information requested by the supervisory authority.

 

Document owner and approver

The Data Protection Officer / GDPR Owner is the owner of this document and is responsible for ensuring this procedure is reviewed in the line with the requirements of the DSP Toolkit.

A current version of this document is available to all/specified members of staff on Huddle and available on Confluence and incarc.org

This procedure was approved by Managing Director on 20/03/2019.