Risk Assessments DPIAs

Yes. You should assume a DPIA is required if your research involves any two or more high‑risk factors, such as: 

• large volumes of personal data
• special category or sensitive data
• data relating to vulnerable individuals
• profiling, evaluation, or scoring
• automated decision‑making
• systematic monitoring
• combining or matching datasets
• new digital systems or platforms
• transfers to external service providers or cloud platforms
• international data transfers
• processing that limits individuals’ ability to exercise their rights

If in doubt, a DPIA should be completed or advice sought before progressing. 

The researcher and their supervisor are responsible for completing the DPIA. They must ensure that all required information is accurate, complete and reflects how personal data will be processed within the research project. 

Once completed, the DPIA is reviewed by the Information Governance team, who assess it for data protection compliance and risk management. Following this review, the DPIA is formally noted before the research can proceed. 

Potentially, yes. A DPIA may still be required for student projects, pilot studies, feasibility studies, or early‑stage research if the processing poses a high risk to individuals, particularly where health data, vulnerable groups or new systems are involved. 

Yes. Ethical approval and a DPIA are separate requirements. Ethics approval focuses on research integrity and participant welfare, while a DPIA specifically addresses data protection risks and GDPR compliance. One does not replace the other.

Possibly. A DPIA is likely to be required if: 

• the data were collected for a different purpose
• new data controllers or processors are involved
• datasets are being combined or linked
• the re‑use creates new or higher risks to individuals

Anonymised data can no longer be linked to an identifiable individual and is no longer considered personal data under the GDPR. 

Pseudonymised data has identifying information replaced with a code or pseudonym but can still be re‑identified. It remains personal data and the GDPR continues to apply. 

If the data are fully and irreversibly anonymised, GDPR does not apply and a DPIA is not required. However, if the data are pseudonymised, they are still personal data and a DPIA may be necessary. 

Data minimisation means collecting only the personal data that are strictly necessary for the research. Storage limitation means keeping personal data only for as long as needed to fulfil the research purpose, in line with TU Dublin’s retention schedules. 

All research involving personal data must have a valid lawful basis under Article 6 of the GDPR. Where special category data are processed, an additional Article 9 condition is also required. In many research contexts, this involves explicit consent. Consent documentation must clearly explain: 

• why the data are being collected
• how they will be used, stored, and protected
• who will have access to them
• the data retention period
• how individuals can exercise their data protection rights

Individuals whose personal data are used in research have rights under the GDPR, including the right to: 

• be informed
• access their data
• request rectification or erasure
• restrict or object to processing
• data portability (where applicable)

Researchers must ensure these rights are explained clearly and that processes are in place to respond to requests promptly. 

Researchers must identify: 

• internal TU Dublin recipients
• external processors or collaborators
• third‑party hosting or cloud services
• any international data transfers

Appropriate agreements (such as Data Sharing Agreements or Data Processing Agreements) must be in place before data are shared, particularly where data leave the EEA. 

A DPIA must evaluate whether the data processing is genuinely necessary and proportionate by asking: 

• does the processing achieve the research aim?
• is there a less intrusive way to achieve the same result?
• is only the minimum amount of data being collected?
• how is “function creep” being prevented?

Appropriate technical and organisational measures must be implemented to protect personal data. These may include: 

• access controls
• encryption
• logging and audit trails
• secure data transfers
• secure storage solutions

Researchers should consult IT Services where technical security details need clarification. 

Researchers must consider what could go wrong, such as: 

• data breaches
• unauthorised access
• financial or reputational harm
• impact on participants’ rights

Each identified risk must be matched with mitigation measures, such as reducing data collection, strengthening security, updating privacy notices, reviewing contracts, staff training, or applying anonymisation or pseudonymisation. 

Key steps include: 

• deciding if a DPIA is required
• completing the DPIA before finalising the research design
• confirming the lawful basis for processing
• minimising data collection and retention
• ensuring data security
• identifying and mitigating risks
• documenting decisions and outcomes
• putting appropriate agreements in place
• reviewing the DPIA as the project evolves

You will need to describe: 

• who the data relate to (e.g. students, staff, patients, members of the public)
• whether any participants are vulnerable
• the scale of participation (number of individuals)

A DPIA will ask where the data come from, such as: 

• direct collection from participants
• existing TU Dublin systems
• external collaborators
• publicly available sources
  

You must also confirm whether individuals are informed about the use of their data.

You will be asked to describe: 

• the systems or platforms used to collect or store data
• whether new technology or software is involved
• whether automated decision‑making or profiling is used
• whether cloud or externally hosted services are used

You will need to specify: 

• how long personal data will be retained
• the justification for the retention period
• how data will be securely deleted, destroyed, or anonymised
• which TU Dublin retention schedule applies

A DPIA seeks confirmation of: 

• who can access the data
• how access is controlled
• whether data are encrypted (at rest and/or in transit)
• how data transfers are secured
• how incidents or breaches would be managed

You will be required to: 

• describe potential risks to individuals (e.g. privacy loss, distress, discrimination)
• assess the likelihood and severity of those risks
• explain what controls or mitigations reduce each risk
• demonstrate that remaining risks are acceptable

Once completed, the DPIA must: 

• be reviewed and signed off where required
• be updated if the project scope changes
• be reviewed periodically during the life of the research
• be made available to the Data Protection Office on request

TU Dublin provides supports and guidance through: 

• the Research Ethics & Integrity framework
• TU Dublin GDPR and Research webpages
• the Data Protection Office, which reviews DPIAs using OneTrust

For DPIA support or advice, researchers can contact dataprotection@tudublin.ie.