The exceptions for research mean that it is possible to work with sensitive personal data within certain frameworks. But these exceptions are also accompanied by some obligations. Here we discuss two of the most important obligations.


Obligation 1: Consulting a privacy officer

The first obligation is that, if a researcher wishes to process sensitive personal data within a research project, they must always consult a privacy officer within the institution (such as a Data Protection Officer (DPO)). The research project may be allowed to go ahead in the desired form, but only and always in consultation with the privacy officer of the institution: researchers should not make this decision themselves.

The privacy expert will work with the researcher to determine what additional measures and safeguards are needed to ensure proper protection of the sensitive personal data. In addition, as part of the data protection impact assessment, the privacy officer will verify compliance with the principles specified in Article 5; this is discussed in greater detail in Chapter 3: GDPR.

Obligation 2: Data protection impact assessment

The second obligation when working with sensitive personal data within a research project is to conduct a data protection impact assessment (DPIA). The GDPR defines a DPIA in Article 35.1 as follows:

Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.

 

Therefore, a DPIA identifies the potential risks within the research project and offers the researcher a possible approach for determining the measures to be taken. While it is desirable to perform a DPIA for every research project, this is mandatory – under penalty of a fine – prior to drafting the research plan or research application if sensitive personal data are involved in the research. The outcome of a DPIA provides insight into the additional measures to be taken.

Additional measures that may be necessary may include security measures such as pseudonymisation, anonymisation, end-to-end encryption, etc. GDPR Article 32 lists the possible measures. Here the GDPR only indicates that a researcher must take measures and specifically refers to encryption and pseudonymisation as examples, but in effect a variety of measures are possible depending on the context of the research. However, these measures must be proportionate under the GDPR; purchasing an expensive encryption system that allows a researcher to hide only the first names of participants defeats the object, as stated in GDPR Recital 83:

In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected.

Please note: if the research falls within an existing category with respect to the processing of sensitive personal data (in other words, the research method is similar to earlier research projects for which a DPIA had been performed), a new DPIA is not necessary since the conclusions regarding the measures can be taken over from the previous DPIA.