GDPR: When am I processing high-risk personal data and when do I need to conduct a DPIA?
What is a DPIA?
When the personal data or the nature of the processing probably entails a high risk for the data subjects, the GDPR obliges you to carry out a risk analysis before the start of the processing, a so-called Data Protection Impact Assessment (DPIA).
A DPIA is an instrument to identify the privacy risks of data processing within your research prior to the start of the research. A DPIA will help you manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data (by assessing them and determining the measures to address them).
A DPIA may address one particular research, but it may also address a set of similar processing activities that present similar high risks.
When to conduct a DPIA?
The following criteria or potential risks will help you analyse whether or not your research constitutes a probable high-risk processing:
- Special categories of personal data are processed in this research.
- Personal data of children or other vulnerable persons are processed in this research.
- Personal data are processed on a large scale (please consider the number of data subjects concerned, either as a specific number or as a proportion of the relevant population).
- Aspects concerning the data subject's performance at work, economic situation, health, personal preferences or interests, reliability or behavior, location or movements are evaluated or scored, profiled or predicted.
- The data are transferred beyond the borders of the EU or the EEA, or to a country not listed on the ‘white list’.
- The research involves datasets that have been or will be matched or combined.
- The processing aims at taking decisions producing legal effects concerning the data subject or similarly significant effects for the data subject. For example, the processing may lead to exclusion of or discrimination against individuals.
- The processing prevents data subjects from exercising a right or using a service or a contract.
- The research involves the systematic monitoring of persons in one or more publicly accessible areas.
- The research involves innovative use or application of technological or organisational solutions, like combining the use of finger print and face recognition for improved physical access control.
- The research involves the processing of non-pseudonymised personal data.
At Ghent University, the criteria to help you analyse whether or not your research constitutes a probable high-risk processing are embedded in the registration of processing activities (GDPR Record – question 25) via the online planning tool DMPonline.be (see GDPR: how do I register personal data processing activities?).
If two or more of these criteria apply to the data processing planned in your research, your research constitutes a probable high risk and you need to indicate this in question 26. In this case a Data Protection Impact Assessment or DPIA is advised to further identify the privacy risks related to the processing.
How to conduct a DPIA?
If two or more risks apply, your research constitutes a probable high risk and you need to complete the ‘DPIA’ section in DMPonline.be.
We advise you to complete the GDPR Record before you start the DPIA.
In the DPIA section you will be asked to describe and assess the risks to individuals, assess the necessity, proportionality and to describe the technical and organizational measures taken to mitigate the risks. By completing the questions in the DPIA, you should be able to estimate the impact and the likelihood of the risks in your research. By balancing the impact with the likelihood, you can indicate whether or not there are risks left in your research and whether or not they are acceptable.
When after conducting the DPIA you come to the conclusion that there are non-acceptable risks left, the DPO (for UGent: email@example.com; for UZGent: firstname.lastname@example.org) must be consulted prior to the start of the processing.
Keep in mind that the DPIA should be conducted before the processing and should be considered as a living tool, not merely as a one-off exercise.
For research at / in collaboration with UZGent: Since a DPIA can also relate to a series of comparable processing activities (or research projects) that entail comparable high risks, one DPIA can be created / used for this. A DPIA template has already been developed for retrospective and prospective research carried out at Ghent University Hospital. These templates can be consulted at the UZGent intranet and used as inspiration to complete the DPIA section in DMPonline.be.
Last modified April 7, 2021, 3:48 p.m.