Research Data & Privacy | Data Protection Impact Assessment

What is a Data Protection Impact Assessment (DPIA)

A Data Protection Impact Assessment (DPIA) is a process which helps to identify and mitigate potential risks to privacy and compliance with data protection law when processing personal data. Under the new data protection legislation, in force from 25 May 2018, DPIAs are required for high risk processing activities.

How does a DPIA work?

A DPIA enables you to identify and reduce the privacy risks of a project by analysing how the proposed uses of personal information and technology will work in practice.

When should you do a DPIA?

Carrying out a DPIA is mandatory where the processing of personal data is likely to result in a high risk to the rights and freedoms of individual data subjects. Following the GDPR a DPIA shall in particular be required in the case of:

a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
processing on a large scale of special categories of data, or of personal data relating to criminal convictions and offences
a systematic monitoring of a publicly accessible area on a large scale (camera surveillance)

NOTE: The Dutch Data Protection Authority has published an updated list of processing operations for which a DPIA is required. Read more at the UT DPIA website.

You should consider conducting a DPIA during the planning stage of new projects. A DPIA may also be required if changes are made to an existing project. DPIAs must be updated as the process develops, particularly if issues are identified which may affect the risk to the data protection rights of affected individuals.

Does your research project need a DPIA?

Do you start processing with a high risk to the rights and freedoms of natural persons? To help researchers identify whether a DPIA is required we have set out a Pre-DPIA form.
The Principal Investigator, or Supervisor is normally responsible for ensuring the completion of a DPIA.
We have developed this brief form on carrying out a DPIA, to assist researchers with making their own judgments for each project that they undertake which has potential privacy impacts.

When is a DPIA not required?

Even if the pre-DPIA results in more than two answers 'yes' it is not always necessary to conduct a full DPIA, because safe data management is already in place. However, contact the Privacy Contact Person of your faculty or the DPO-team in case you doubt.
Also, a DPIA would not be required where:

The processing is not likely to result in a high risk to data subjects’ rights;
The nature, scope, context and purposes of the processing are very similar to the processing for which a DPIA has already been carried out. Where a set of similar processing operations present similar high risks, a single DPIA may be undertaken to address all of those processing operations; or
Personal data is not being processed.