A Privacy Impact Assessment (PIA) is a systematic process to identify and mitigate any potential privacy risks associated with the processing of personal data. This includes assessing the necessity and proportionality of the data processing, evaluating the potential impact on individuals' rights and freedoms, and implementing appropriate safeguards to protect the data. PIAs are essential for promoting transparency, accountability, and ethical data handling practices within organizations. By carefully assessing potential risks and which mitigating measures need to be implemented, you reduce the likelihood of data breaches, legal non-compliance, and negative impacts on individuals' privacy.
PIAs look at risks on three levels:
- Data processing
- Technology and infrastructure
- Your role and your collaborators roles
It also helps to decide which organizational and technical measures need to be taken. Part 6 and 7 in the TU/e ERB form address privacy and security aspects of your project. These parts are also used to decide whether a more extensive Data Protection Impact Assessment (DPIA) is necessary, and which measures (such as safe storage and anonymization or pseudonymization) should be taken to reduce or prevent the privacy risks.
The following questions may help you to map the privacy risks:
- Will I be working with special categories of personal data?
- Will I collect data from a vulnerable group of participants, such as children, people with dementia, patients, or people with learning difficulties?
- Will my data be securely stored throughout all phases of my research project?
- Do I have a system implemented to restrict and provide access to the data as needed?
Data Protection Impact Assessment
If the research you are planning to perform can be defined as a high-risk one, it may be necessary to perform a DPIA. You do not have to perform a DPIA for every data processing operation. A DPIA is only mandatory for projects involving the processing of personal data and if data processing is likely to pose a high privacy risk to data subjects. To assess if your data processing has a significant risk to the privacy of others you first need do a pre-DPIA scan. A pre-DPIA is a short questionnaire that determines how high the risk is when processing personal data from a project and whether a more extensive DPIA is needed and what measures you need to take to ensure the privacy of data subjects. You can find FAQ about DPIA on the Privacy page.
In any case, you have a high risk if you:
- follow people on a large scale and systematically in publicly accessible areas; (for example with camera surveillance).
- Process special personal data on a large scale.
- systematically and extensively evaluate personal aspects (including profiling).
Data stewards can help you with assessing the risks associated with your data processing and can give you advice on privacy, GDPR, and ethical issues before starting your research. They can also support you and provide advice on completing DPIA template.
Make sure that you regularly review data processing and privacy risks during your research. These risks may change and therefore the security measures you had planned need to be reviewed and updated accordingly.