GDPR: Ensuring data protection is part of everyday business
27 Jun 2018
Data Protection by Design
Under the new General Data Protection Regulation (GDPR) which came into force on 25 May 2018, there is an obligation to ensure data protection requirements are built into the design and planning phases for any new technologies or processes that will involve the collection, use, or sharing of personal data.
Likewise, where significant changes are proposed to existing data processing activities, these will also need to ensure data protection requirements are built in.
This may include:
- Systems or software that involve the storage of personal data e.g. Cloud or other externally hosted services
- Systems, software or processes that monitor or profile individuals based on their personal data e.g. attendance monitoring, CCTV systems, wealth screening activities or learner analytics
- New collections of personal data or processes that involve new or novel processing e.g. research involving the use of apps, artificial intelligence or the use of personal data in ways it is not already used.
Where the process involves significant volumes of data and/or special category personal data, and therefore considered ‘high risk’, a Data Protection Impact Assessment (DPIA) will need to be completed.
To address these two GDPR requirements, the IGO have developed an Information Governance Risk Review (IGRR). This includes a series of basic data protection screening questions designed to determine the risk of the proposed data processing.
For further information about the new requirements please see the Guide to Data Protection by Design or contact the Information Governance Office.
All staff were asked to complete the compliance checklist during May. If you’ve not yet completed it, please visit MyManchester without delay.