1. Project Overview

Spike Map is a public-safety mobile application that enables users to:

• Log suspected drink-spiking incidents
• View anonymised heatmaps of reported incidents
• Receive alerts based on location
• Access quick-dial emergency contacts

2. Why a DPIA is Required

A DPIA is required because Spike Map processes:

• Location data (sensitive)
• Health-related information (symptoms)
• Potentially criminal-related reports
• Data linked to identifiable users
• Real-time alerts: These are classified as high-risk processing under UK GDPR.

3. Nature of the Data Processed

• Email address
• Password (hashed)
• User-submitted incident data
• Optional photos
• GPS location
• Device information
• App usage logs: No biometric data or payment data collected.

4. Purpose of Processing

• To map possible drink-spiking incidents
• To send alerts to users in the area
• To provide safety support
• To support public health research (anonymised only)

5. Lawful Basis

• Account creation → Contract
• Reports containing symptoms → Explicit Consent
• Location tracking → Consent
• Safety alerts → Legitimate Interests
• Research/analytics → Legitimate Interests (Anonymised)

6. Data Flow

• User logs in
• Data stored on secure cloud server
• Incident reports anonymised for heatmap
• Alerts triggered for nearby incidents
• Aggregated insights shared with trusted partners (no personal data)

7. Risks Identified

8. Mitigation Measures

• Encryption at rest + in transit
• Access restricted to essential staff only
• Regular security audits
• Data minimisation
• Photos optional & discouraged
• No identifying details allowed in reports
• 24-month retention only
• User verification for deletion requests

9. Residual Risk Assessment

After mitigation measures, residual risk is low-to-medium, acceptable for a public safety tool.

10. Approval

Data Controller: AGLP Event Enterprises CIC
Approved by: Director – Rose Marok
Date: 17 November 2025