Assessing data protection risks in research
A Data Protection Impact Assessment (DPIA) is an assessment of the risks associated with the processing of personal data from the perspective of the data subject.
The assessment examines, for example, whether the processing of personal data could pose risks to data subjects’ rights, freedoms, or privacy.
When is a DPIA required?
A DPIA must be carried out in particular when the processing of personal data is likely to result in a high risk to data subjects. As many research projects conducted through Findata meet these criteria, a DPIA is, in practice, a very common requirement.
Examples of high-risk processing include:
processing of special categories of personal data
large-scale processing of personal data
combining data from multiple registers
data relating to vulnerable individuals
use of new technologies, such as artificial intelligence
large-scale processing of personal data
combining data from multiple registers
data relating to vulnerable individuals
use of new technologies, such as artificial intelligence
If data subjects’ rights are to be restricted, the DPIA must also be submitted to the Data Protection Ombudsman.