FEATURE3 August 2018
Taking a risk
x Sponsored content on Research Live and in Impact magazine is editorially independent.
Find out more about advertising and sponsorship.
FEATURE3 August 2018
x Sponsored content on Research Live and in Impact magazine is editorially independent.
Find out more about advertising and sponsorship.
Dr Michelle Goddard explains how assessing the risks involved in processing data is fundamental for organisations working under the new data protection framework.
The new data protection framework, introduced recently by the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018, requires a fundamental shift in the approach to privacy, focusing on assessing risks and prioritising activities with a higher risk profile.
Researchers will need to become comfortable with a more nuanced approach to compliance, as this new regime introduces a level of uncertainty to what may previously have been more rigid and clear-cut obligations. For instance:
The common thread across these legal obligations is the priority given to assessing the risks that processing poses to individuals’ fundamental rights and freedoms. Risk is a key component in ensuring you adhere to the obligations under the legislation. But what does this really mean for research suppliers?
Risk is not defined specifically, but examples of activities that are more likely to result in a high risk include:
Data protection authorities across the EU have issued guidance with additional examples of high-risk processing activities. Remember, however, that risk must be determined in the specific context of your own operations and there is no ‘one size fits all’ list.
Processing likely to be riskier in a research context covers:
In considering whether a research activity is risky, you need to think carefully about the ‘likelihood and severity’ of any negative impact of your processing activities on individuals. Potential individual harm includes: discrimination; identity theft or fraud; financial loss; damage to individual reputation; loss of confidentiality; reversal of pseudonymisation; or significant economic or social disadvantage.
As I said at the start of this article, clear obligations and/or exemptions under the GDPR flow directly from the level of risk:
Consideration of risk works both ways, however. If you identify that the processing is not risky, or low risk, you may be exempt from some obligations, such as notifying the ICO about a breach or having to appoint an EU-based representative if you are a controller based outside the EU.
Identifying risk allows you to implement mitigation strategies. These need to be embedded in the organisation by developing a culture that ensures everyone takes a privacy-centric approach. This must be implemented by specific suitable technical or organisational measures, such as:
DPIAs are the tool required under the GDPR to help in this process. As the ICO notes: “An effective DPIA will allow organisations to identify and fix problems at an early stage, reducing the associated costs and damage to reputation that might otherwise occur.”
DPIAs require time, effort and resources and – although research suppliers have not traditionally undertaken a formal assessment approach – the requirements reflect the instinctive approach taken in considering the ethical implications of a research activity.
There may not always be one ‘right’ answer in the new data protection regime, but there is an obligation to keep processing under continual review, to prioritise, and to analyse, evaluate and record decisions that are taken, to ensure accountability for protecting individuals’ privacy. Remember, data protection compliance is an ongoing journey, not a destination.
Dr Michelle Goddard is director of policy and standards at MRS
0 Comments