Risk assessment
Risk assessment
When processing personal data, it is important to use a risk based approach. This means that you have to reflect carefully, when processing personal data, on the possible negative consequences for the privacy and integrity of the research participants. Taking into account these risks, you have to decide which technical and organisational measures are needed in order to guarantee the confidentiality of the data.
An inadequent risk assessment, whereby technical or organisational measures are insufficient to protect the data, makes a data breach more likely, whereby the privacy and integrity of the data subjects can be harmed (e.g. discrimination, exclusion, … of individuals and/or communities).
The data protection impact assessment (DPIA): a risk assessment in the GDPR
When the nature of the personal data or the processing results in a potential high risk for the data subjects, you are obliged to conduct a data protection impact assessment (DPIA), which is a risk analysis before the start of the data processing. A DPIA will help you to manage the risks for the rights and freedoms of the data subjects following the processing of their personal data (by assessing the risks and taking appropriate measure to deal with these risks). A DPIA can cover one specific research, but also a series comparable processing activities (or research projects) with comparable high risks.
The following criteria of possible risks can help you to determine whether or not the processing of personal data within your research forms a potential high risk.
- Special categories of personal data are being processed.
- Personal data of children or other vulnerable persons are being processed.
- Personal data are processed on a large scale (take into account the number of data subjects, either as a specific number or as a part of the relevant population).
- Aspects relating to the performances of the data subject on the work, the economic situation, health, personal preferences or interests, reliability or behavior, location or movements, are being evaluated, scored, profiled or predicted.
- The personal data are shared with or transferred to countries outside the EEA, or to countries which are not on the ‘white list’.
- The research concerns datasets which are or will possibly be shared.
- The processing is aimed at taking decisions which entail legal or comparable significant effects for the data subjects. For example, the processing could lead to exclusion or discrimination of the data subjects.
- The processing ensures that the data subjects are impeded to exercise a right or use a service or a contract.
- Your research covers the systematic monitoring of person in one or more publicly accessible areas.
- Your research concerns innovative use or application of technological or organisational solutions, like the combination of fingerprints and face recognition for enhanced physical access control.
- Your research concerns the processing of non-pseudonymised personal data.
- It is planned to link different (special categories of) personal data.
If 2 or more of these criteria are applicable in your research, your research forms a potential high risk. In this case, a DPIA is obliged in order to list the privacy risks relating to the processing.
In a DPIA you will be asked to describe and assess the risks, assess the necessity, proportionality and to describe the technical and organisational measures taken to mitigate the risks. By completing the questions in the DPIA, you should be able to estimate the impact and the likelihood of the risks in your research. By balancing the impact with the likelihood, you can indicate whether or not there are risks left in your research and whether or not they are acceptable.
References
Anonimisering—Reference card voor onderzoekers.pdf. (z.d.). Geraadpleegd 27 mei 2021, van https://www.lcrdm.nl/files/lcrdm/2020-01/Anonimisering%20-%20reference%20card%20voor%20onderzoekers.pdf
Privacy in Onderzoek. (z.d.). SURF. Geraadpleegd 27 mei 2021, van https://maken.wikiwijs.nl/117199/Privacy_in_Onderzoek