Legal

Data Protection Impact Assessment

Effective Date: 1st February 2026 Version 1.0

1. Project Description

Global Mayors Academy processes personal data of course participants, subscribers, and event attendees through its digital platforms in connection with the delivery of the City Leaders Program.

Data Collected

  • Name
  • Email address
  • Phone number
  • Address
  • Organisation
  • Payment details (where applicable)

Purpose of Processing

  • Course registration and enrolment
  • Communication with participants
  • Service delivery and program administration
  • Payment processing

2. Lawful Basis

Processing is carried out under the following lawful bases in accordance with the UK GDPR and EU GDPR:

  • Article 6(1)(b) — Contractual necessity
  • Article 6(1)(a) — Consent (marketing communications)
  • Article 6(1)(f) — Legitimate interests

3. Necessity & Proportionality Assessment

Data collected is limited to what is strictly necessary for identity verification, communication, and service provision. Data minimisation principles are applied throughout. No special category data is collected unless specifically required and consented to by the individual.

4. Risk Assessment

Identified Risks

  • Unauthorised access to participant data
  • Data breach via platform vulnerability
  • Phishing attacks targeting participants
  • International data transfer risk

Overall Risk Level

Standard CRM and email database risk profile.

Medium

5. Mitigation Measures

The following technical and organisational measures are in place to reduce identified risks:

  • SSL encryption across all platforms
  • Secure hosting with reputable providers
  • Role-based access controls
  • Two-factor authentication for system access
  • Data Processing Agreements with all third-party processors
  • Standard Contractual Clauses (SCCs) for international transfers
  • Regular software updates and security patching

6. Residual Risk

Following implementation of the mitigation measures described above, the residual risk level is assessed as:

Low to Medium

7. Consultation

Prior consultation with the Information Commissioner's Office (ICO, UK) may be required before processing commences if any residual high risk is identified that cannot be mitigated through internal measures.

This DPIA is a living document and will be reviewed and updated whenever there is a significant change to the nature, scope, or purpose of processing activities, or following a data breach or near-miss incident.

Questions about this assessment? Contact us at support@globalmayors.academy