Data Planning Impact Assessments

Data planning for Personal Data in XRUK

What is this document for?
  • For training and awareness if you plan to gather Personal Data for something new
  • Checking how you use Personal Data already
  • Thinking through the Personal Data you need for a project - i.e. “Data Planning”
Why do this?

A good Data Plan will be clear about why, and how, we process individual’s data within our principles and values, and meet our legal, practical and financial constraints.

We check if we need a formal “Data Protection Impact Assessment” (DPIA)

  • so we check the risks of having the Data - and if that is justified,
  • we reduce the risks of us having the Data where possible, and
  • to meet our broader Data Protection legal obligations.

And we would do this even without the legal obligations - if we are trusted with Personal Data, we need to respect the people who have trusted us with that.

Use this document if you

  1. plan to get Data about individuals
  2. maintain processes which use Data about individuals
  3. want to collect Data about individuals in a different way
  4. want to change how some Data is used,
  5. are the GDPR champion in a circle, or group which has Data about individuals, so you know when a Data Plan is needed

Who can see Data Plan?

A “data subject” can request to see the Data Protection Impact Assessment (DPIA) if one is created. So when you are writing a Data Plan or DPIA – keep the language simple and clear.


  • The Information Commissioners Office (ICO) has got a very detailed website. The page about data gathering is a very good … and long. The “At a Glance” section is several pages long, the “In Brief” is also several pages, and if you really want the detail then there are several more documents and pages. (More info & link in the “Do we need to do a DPIA?” section of the Data Plan - please see the link to the Data Plan below.)

  • Doing this type of Data Planning is part of the General Data Processing Regulations (GDPR), part of UK law, and covers organisations including XR UK.

  • The ICO only cares about Personal Data - information that relates to an identified or identifiable individual. (If you have Data about non-personal things, some of this Data Planning may help but isn’t a requirement.)

  • “Processing” is doing anything with the Personal Data; collecting, storing, reading, using, deleting.

  • We have a duty of care for any Personal Data we collect. In some cases we have to do a “Data Processing Impact Assessment” (DPIA), for processing that is likely to result in a “high risk to individuals”, or certain types of “complex processing”. (“Complex processing” is more likely to be something an Insurance company does to your data, to get you a quote - we don’t normally do it.)

  • Planning the who, what, how, where, when and why, makes sense, to minimise the harm and maximise the value of the data to XRUK.

  • We want to take care of each other, and that includes being careful with information about each other, so this is totally in accordance with our XR Principles and Values.

Training and walk-through

If this is all new to you, and you think you need to use this information, please ask the GDPR & Security Circle for a walk-through. On Mattermost you can ask any questions on the “GDPR & Security Reception Channel”