GDPR: When am I processing high-risk personal data and when do I need to conduct a DPIA?
What is a DPIA?
When the personal data or the nature of the processing probably entails a high risk for the data subjects, the GDPR obliges you to carry out a risk analysis before the start of the processing, a so-called Data Protection Impact Assessment (DPIA).
A DPIA is an instrument to identify the privacy risks of data processing within your research prior to the start of the research. A DPIA will help you manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data (by assessing them and determining the measures to address them).
A DPIA may address one particular research, but it may also address a set of similar processing activities that present similar high risks.
When to conduct a DPIA?
The following criteria or potential risks will help you analyse whether or not your research constitutes a probable high-risk processing:
- Special categories of personal dataor personal data of a sensitive nature are processed in this research.
- Personal data of children or other vulnerable persons are processed in this research. These are:
- Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership
- Data from or linked to the electronic health record (Elektronisch patiëntendossier)
- Genetic data
- Biometric data that can uniquely identify a natural person, such as audio recordings of voices, finger prints, face images, iris scans
- Health data (physical or mental health), data concerning a natural person’s sex life or sexual orientation
- Data relating to criminal convictions and offences
- Personal data of children or other vulnerable persons are processed in this research.
- Personal data are processed on a large scale. Always keep in mind the specific research context, such as:
- the number of data subjects;
- the number of collected personal data and/ or the number of categories. (e.g. are you only collecting names and mail addresses, or also information on hobbies, professional activities, family situation, …?);
- the retention period (e.g. are the data processed for a limited time period, or will the data be processed for a longer time period, or even on a permanent basis?);
- the geographical range of the processing activities (multiples countries?).
- Aspects concerning the data subject's performance at work, economic situation, health, personal preferences or interests, reliability or behavior, location or movements are evaluated or scored, profiled or predicted. For example: making profiles on the basis of the use or navigation on websites; offering genetic tests to persons for judging and/ or predicting health risks, collecting data of social media for profiling purposes, …
- The data are transferred beyond the borders of the EU or the EEA, or to a country not listed on the ‘white list’. For example: data transfer to researchers outside the EEA; data storage on cloud services established outside the EEA, …
- The research involves datasets that have been or will be matched or combined. This means matching or combining personal data from one or more processing activities with multiple research purposes and/ or by multiple data controllers in a way that would not meet the reasonable expectations of the data subject(s)
- The processing aims at taking decisions producing legal effects concerning the data subject or similarly significant effects for the data subject. For example, the processing may lead to exclusion of or discrimination against individuals.
- Examples of legal effects: contract termination, grant/ refusal of social benefits, refusal of access to a country, …
- Examples of significant effects: credit assessment, refusal of access to health care services, employment opportunities or education (e.g. admission to university), profiling (case by case assessment)
- The processing prevents data subjects from exercising a right or using a service or a contract.
- The research involves the systematic monitoring of persons in one or more publicly accessible areas. For example: camera recordings on publicly accessible areas (such as railway stations, streets, market places, public library, …)
- The research involves innovative use or application of technological or organisational solutions, like combining the use of finger print and face recognition for improved physical access control. For example: innovative applications based on artificial intelligence, automated number plate recognition, …
- The research involves the processing of non-pseudonymised personal data. This means that you are processing raw personal data in your research, whereby your research data is not separated from the personal data (e.g. respondents are called by their names).
At Ghent University, the criteria to help you analyse whether or not your research constitutes a probable high-risk processing are embedded in the registration of processing activities (GDPR Record – question 25) via the online planning tool DMPonline.be (see GDPR: how do I register personal data processing activities?).
If two or more of these criteria apply to the data processing planned in your research, your research constitutes a probable high risk and you need to indicate this in question 26. In this case a Data Protection Impact Assessment or DPIA is advised to further identify the privacy risks related to the processing.
How to conduct a DPIA?
If two or more risks apply, your research constitutes a probable high risk and you need to complete the ‘DPIA’ section in DMPonline.be.
We advise you to complete the GDPR Record before you start the DPIA.
In the DPIA section you will be asked to describe and assess the risks to individuals, assess the necessity, proportionality and to describe the technical and organizational measures taken to mitigate the risks. By completing the questions in the DPIA, you should be able to estimate the impact and the likelihood of the risks in your research. By balancing the impact with the likelihood, you can indicate whether or not there are risks left in your research and whether or not they are acceptable.
When after conducting the DPIA you come to the conclusion that there are non-acceptable risks left, the DPO (for UGent: email@example.com; for UZGent: firstname.lastname@example.org) must be consulted prior to the start of the processing.
Keep in mind that the DPIA should be conducted before the processing and should be considered as a living tool, not merely as a one-off exercise.
For research at / in collaboration with UZGent: Since a DPIA can also relate to a series of comparable processing activities (or research projects) that entail comparable high risks, one DPIA can be created / used for this. A DPIA template has already been developed for retrospective and prospective research carried out at Ghent University Hospital. These templates can be consulted at the UZGent intranet and used as inspiration to complete the DPIA section in DMPonline.be.
Last modified Aug. 31, 2021, 1:51 p.m.