Metro map
The Article 5 principles tell you what to do when protecting personal data but do not tell you exactly how to do it. How do you determine what measures to take in a specific research project? That is where the Metro Map, which we will discuss in this chapter, can be of help to you.
Through the Metro Map step by step
The Article 5 principles imply the following for the research participant and the researcher:
- For research participants, these principles are enforceable as rights (for example, the right to rectification arises from the principle of accuracy)
- For researchers, there is an obligation to demonstrate compliance with these principles by applying data protection by design and data protection by default as a strategy, for properly protecting the personal data of research participants.
This means that, while the principles are the same for each research project, the measures to be taken to protect personal data may differ from one research project to another.
How do you determine what measures to take in a specific research project? The Metro Map has been drawn up to help you understand, in broad terms, what actions need to be taken. It is a step-by-step plan that guides you, by means of concrete questions, from the research design to the issuing of a GDPR-compliant statement by your institution’s DPO. The video below explains the steps in detail:
Source: Domingus, M. (2018). The Privacy Impact Assessment (PIA) Route Planner for Academic Research. Inspired by Harry Beck’s London Metro Map. Retrieved from http://hdl.handle.net/1765/128160.
Here is the metro map in English, so you can follow along with the video:
Key points
The key points from the Metro Map can be summarised as follows:
- Only a small proportion of research projects require additional measures, because such measures are only required for high-risk projects
- A research project is classified as high risk if it meets at least two of the nine criteria included in the Decree concerning the list of personal data processing operations for which a data protection impact assessment (DPIA) is mandatory (In Dutch only) (Besluit inzake lijst van verwerkingen van persoonsgegevens waarvoor een gegevensbeschermingseffectbeoordeling (DPIA) verplicht is) issued by the Dutch DPA
- A pre-DPIA can be used to determine whether a research project is considered as high or low risk
- There is an obligation to conduct a full DPIA when performing high-risk research
- If a DPIA has been carried out for a similar research project in the past (in other words, the research to be performed falls within an existing research category), the measures that emerged from that DPIA may be adopted and no additional DPIA is required
- Most research projects follow the Orange Line on the Metro Map: these projects can be conducted in compliance with the GDPR by applying standard measures
And would you like to know what kind of concrete measures you can implement? If so, take a look at the overview below. In Module V ‘Measures’, we will discuss each measure in detail.
