Taking a risk

x Sponsored content on Research Live and in Impact magazine is editorially independent.
Find out more about advertising and sponsorship.

The new data protection framework, introduced recently by the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018, requires a fundamental shift in the approach to privacy, focusing on assessing risks and prioritising activities with a higher risk profile. 

Researchers will need to become comfortable with a more nuanced approach to compliance, as this new regime introduces a level of uncertainty to what may previously have been more rigid and clear-cut obligations. For instance:

• Do you need to appoint a data protection officer (DPO)? This depends on the risk level of your organisation’s processing activities
• Do you need to conduct a Data Protection Impact Assessment (DPIA) for each research project?  This depends on the risk of the proposed processing
• Do you need to keep full records of any of your processing? It depends on the risk of processing, as well as the size of your organisation
• Do you need to notify research participants, commissioning clients, or the Information Commissioner’s Office (ICO) about a data breach?  It depends on the nature of the breach and the risk level
• How do you implement privacy by design and default? By considering the risk level across the organisation
• What is expected for robust security measures? It depends on the technical and organisational measures that can ensure a level of security appropriate to the risk. 

The common thread across these legal obligations is the priority given to assessing the risks that processing poses to individuals’ fundamental rights and freedoms. Risk is a key component in ensuring you adhere to the obligations under the legislation. But what does this really mean for research suppliers?

Risky processing activities

Risk is not defined specifically, but examples of activities that are more likely to result in a high risk include:

• Systematic automated profiling

• Large-scale monitoring of special category data or criminal convictions data 

• Systematic monitoring of a publicly accessible area on a large scale.

Data protection authorities across the EU have issued guidance with additional examples of high-risk processing activities. Remember, however, that risk must be determined in the specific context of your own operations and there is no ‘one size fits all’ list. 

Processing likely to be riskier in a research context covers:

• Large-scale processing of special category data (such as ethnicity, political or religious beliefs, and health data) – for example, political opinion polling and healthcare research
• Researching large groups of vulnerable individuals or children
• Segmentation exercises that match or combine different datasets
• Gathering of public social media data for generating profiles
• Archiving of pseudonymised personal sensitive data from research projects or clinical trials.

In considering whether a research activity is risky, you need to think carefully about the ‘likelihood and severity’ of any negative impact of your processing activities on individuals. Potential individual harm includes: discrimination; identity theft or fraud; financial loss; damage to individual reputation; loss of confidentiality; reversal of pseudonymisation; or significant economic or social disadvantage.

Implications of the risk level

As I said at the start of this article, clear obligations and/or exemptions under the GDPR flow directly from the level of risk:

• Conduct of a DPIA and consultation with the ICO (if there is a residual high risk after completion of DPIA) is mandatory where data-processing activities are likely to result in a high risk to individuals. As it is a Tier 2 Breach of the GDPR, the maximum sanction for failure is a fine of €10m or 2% of turnover – whichever is higher
• High-risk data breaches must be notified to data subjects (in addition to the ICO)
• Smaller businesses, which have less extensive record-keeping requirements, must ensure written records adequately cover their high-risk activities. 

Consideration of risk works both ways, however. If you identify that the processing is not risky, or low risk, you may be exempt from some obligations, such as notifying the ICO about a breach or having to appoint an EU-based representative if you are a controller based outside the EU.

Risk mitigation 

Identifying risk allows you to implement mitigation strategies. These need to be embedded in the organisation by developing a culture that ensures everyone takes a privacy-centric approach. This must be implemented by specific suitable technical or organisational measures, such as: 

• Encryption to improve security
• Pseudonymisation or other steps to de-identify personal data 
• Minimising the amount of personal data required for a project. 

DPIAs are the tool required under the GDPR to help in this process. As the ICO notes: “An effective DPIA will allow organisations to identify and fix problems at an early stage, reducing the associated costs and damage to reputation that might otherwise occur.” 

DPIAs require time, effort and resources and – although research suppliers have not traditionally undertaken a formal assessment approach – the requirements reflect the instinctive approach taken in considering the ethical implications of a research activity. 

What next? 

There may not always be one ‘right’ answer in the new data protection regime, but there is an obligation to keep processing under continual review, to prioritise, and to analyse, evaluate and record decisions that are taken, to ensure accountability for protecting individuals’ privacy. Remember, data protection compliance is an ongoing journey, not a destination. 

Dr Michelle Goddard is director of policy and standards at MRS