Data-protection impact assessments.

When we run a DPIA

A DPIA is mandatory under Article 35(3) UK GDPR for the categories below — and we run one whenever any of them apply. We also run a lightweight DPIA-screen on every materially new feature so we catch borderline cases.

• A new processing activity that is likely to result in a high risk to data subjects
• Use of new technology or a novel application of existing technology
• Large-scale processing of special-category personal data
• Automated decision-making with legal or similarly significant effects
• Systematic monitoring of publicly accessible areas at scale
• Combining or matching datasets from different sources
• Processing data of vulnerable subjects (including learners under our education customers)
• Innovative use of AI / machine learning that could affect data subject rights

The six steps

1. 01
   Describe the processing

   Nature, scope, context, purposes. What data, whose data, why, where it flows, how long it stays.

2. 02
   Assess necessity & proportionality

   Is the processing necessary for the stated purpose? Could we achieve it with less data, less retention, or less invasive means?

3. 03
   Identify and assess risks

   Risks to data subject rights (illegitimate access, unauthorised modification, loss, identity theft, financial loss, reputational damage). Likelihood × severity.

4. 04
   Identify mitigations

   Technical and organisational measures — encryption, access control, minimisation, pseudonymisation, retention limits, training.

5. 05
   Sign-off & residual risk

   Document residual risk after mitigation. Director sign-off. If residual risk is still high, prior consultation with the ICO under Art. 36.

6. 06
   Review

   DPIA is a living document. Revisit when the processing materially changes, or at least annually.

Completed DPIAs — register summary

This is the public summary of our internal DPIA register. Full assessments are shared with controllers and the ICO on request (redacted where necessary).

• DPIA-2026-01 — Support and operational access by personnel located outside the UK, and call recording / AI assistance in YionConnectcompleted 11 May 2026

  Assesses (a) Yiontech personnel and contractors located outside the UK accessing personal data on YionStack to handle support and operational tasks, and (b) the planned YionConnect telephony module's call handling, optional consented call recording, transcription and AI summary / routing. Lawful bases: legitimate interests / contract (Yiontech's own data); customer instruction under the DPA (customer data); the relevant DPA 2018 Schedule 1 condition plus our Appropriate Policy Document for any special-category or criminal-offence data. Key mitigations: UK IDTA + Transfer Risk Assessment per country; data stays on UK / EEA infrastructure, accessed record-by-record (no bulk export); role-based access + row-level isolation; full access logging; encryption in transit and at rest; managed-device controls; written confidentiality / data-protection undertakings; consent announcement before any recording; recording retention clock with automated deletion; zero-retention enterprise terms for AI providers; separated listen / export / delete permissions on recordings, all audited. Residual risk assessed low after mitigation — no ICO prior consultation required. Review: annually or on material change (e.g. new country, wider data categories, recording / AI features going live).

Sharing DPIAs with controllers

When you (a controller) use YionStack and need to support your own DPIA under Article 35, we provide reasonable assistance under Clause 9 of our DPA. On request we share:

• Description of our processing operations
• Sub-processor list with regions and transfer safeguards (DPA Annex 3)
• Article 32 security measures (DPA Annex 2)
• Data flow diagrams for the relevant feature
• Our internal DPIA register summary, redacted where necessary

Email privacy@yionstack.co.uk with “DPIA support request” in the subject. We respond within 2 working days.

Prior consultation with the ICO

If a DPIA shows that the processing would result in a high residual risk even after mitigation, Article 36 requires consultation with the ICO before processing starts. We treat this as a hard gate: high residual risk = processing pauses until we have either reduced the risk further or consulted.