Data Privacy Impact assessment (DPIA)ΒΆ

Under the GDPR, it is necessary to have a Data Privacy Impact Assessment related to personal data being processed, shared and stored. This is typically done by the Data Protection Officer in collaboration with an IT team. For more information on DPIA, please refer to this link.

When planning a study and applying for ethical approval, it would typically be expected that you conduct and document a simple DPIA in order to answer some basic but important questions:

  • What does the study entail?
  • Which parties are involved?
  • Which data types are sensitive?
  • Which security measures are being taken to protect data privacy? E.g.:
    • Privacy by Design
    • Privacy by Default
    • Privacy Enhancing Technologies
  • What is the goal of the data processing?
  • What is the selected lawful basis for processing the data?

This is part of your job as researchers, i.e. the goal of the data processing is to answer research question as part of your public task.