You must do a DPIA for processing that is likely to result in a high risk to individuals.
The GDPR states that a DPIA shall, in particular, be carried out where the proposed processing involves:
- using systematic and extensive profiling or automated decision-making to make significant decisions about people
- processing special category or criminal offence data on a large scale
- systematically monitoring publicly accessible places on a large scale
The use of the words “in particular” demonstrates that there may be other situations where a DPIA ought to be carried out.
The ICO also requires you to do a DPIA if you plan to:
- use innovative technology
- use profiling, automated decision-making or special category data to help make decisions on someone’s access to a service, opportunity or benefit;
- profile individuals on a large scale
- process biometric data
- process genetic data
- match data or combine or compare datasets from different sources
- collect personal data from a source other than the individual without providing them with a privacy notice (or otherwise process such personal data)
- process personal data in a way that involves tracking individuals’ location or behaviour
- process children’s personal data for profiling or automated decision-making or for marketing purposes, or offer online services directly to them
- process personal data that might endanger the individual’s physical health or safety in the event of a security breach.
You should also think carefully about doing a DPIA for any other processing that is large scale, involves profiling or monitoring, decides on access to services or opportunities, or involves sensitive data or vulnerable individuals.
Even if there is no specific indication of likely high risk, it is good practice to do a DPIA for any major new project involving the use of personal data.
If you are in any doubt about whether a DPIA is needed or not please contact the Office of the University Secretary by emailing firstname.lastname@example.org