Data Protection Risk Assessments - Research
Trinity College Templates
Trinity College Dublin promotes a Privacy by Design-based approach to any research project which uses personal data.
Researchers are encouraged to carry out data protection risk assessments and/or to create data management plans, for any research which uses personal data. This will ensure that the entire research journey from access/collection to deletion/archival has been considered from a data protection perspective.
Adoption of this approach should minimise the risk of a data breach or non-compliance with data protection law.
- Conduct a Data Protection Risk Assessment
- Conduct a Data Protection Impact Assessment ('DPIA') if the research is considered high risk
The approved College templates are available here.
Could your research result in any of the following?
- may give rise to discrimination,
- identity theft or fraud,
- financial loss,
- damage to the reputation,
- loss of confidentiality of personal data protected by professional secrecy,
- unauthorised reversal of pseudonymisation, or any other significant economic or social disadvantage; where participants might be deprived of their rights and freedoms or prevented from exercising control over their personal data;
Does your research use any two or more of the following types of data?
- data which reveal racial or ethnic origin;
- political opinions;
- religion or philosophical beliefs;
- trade union membership;
- genetic data;
- data concerning health;
- data concerning sex life;
- criminal convictions and offences or related security measures;
- where personal aspects are evaluated, in particular analysing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, in order to create or use personal profiles;
- where personal data of vulnerable individuals (in particular of children), are processed; or
- where processing involves a large amount of personal data and affects a large number of data subjects. (Recital 75 GDPR)
If you have answered ‘yes’ to two or more, please conduct a Risk Assessment.
If the risk assessment indicates high risk processing then a Data Protection Impact Assessment ('DPIA') may be required. Please contact dataprotection@tcd.ie for support and guidance.
More Information on Data Protection Impact Assessments
The DPIA should be updated to reflect any material changes to the processing as the project or activity progresses and should be retained by the process or data owner as evidence that data protection risks were assessed, and appropriate controls established.
Further Guidance on DPIAs