Revised DPIA cribsheet

Shortly after we did out first Data Protection Impact Assessments, on the Janet Security Operations Centre and the Jisc Learning Analytics Service, the ICO published its DPIA guidance. This contained a few minor additions, which have been added to this new version of our information gathering cribsheet:

  • In section (a) the nature of processing should mention any new technologies or novel processing and retention periods for data. There’s also specific information about the context: how many data subjects there are, where they are located, what our relationship is with them and what expectations they are likely to have of us and our processing.
  • In section (c) the harms considered should include discrimination, fraud, financial loss, reputational damage, physical harm, loss of confidentiality, reidentification, other significant economic or social disadvantage
  • In section (d) measures and safeguards include training, documentation, pseudonymisation, and reduced retention.

We’ll be using this revised cribsheet for future DPIAs, including when we revisit the existing ones.

You can find it at: DPIA collection cribsheet v2.0

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *