DPIA / Data Protection Reviews

Data Controllers/Principal Investigators/Sponsors are advised to conduct data protection reviews of ongoing projects at regular intervals.

The 'Data Protection Impact Assessment' in particular is a living document, meaning that it must be reviewed regularly, in the context of any changes to the study, or any external developments which may affect the study.

This Sample Checklist (updated June 2021 to reference the amendments to the Health Research Regulations) may provide a useful starting point to conducting a data protection review.

Ensuring that the threshold and cumulative criteria for 'explicit consent' have been reached is particularly challenging both for researchers and data protection officers, as it requires an advanced degree of understanding of GDPR, the Health Research Regulations 2018 (as amended), and the ability to apply that understanding to a particular research study. This Graphic (drafted February 2021) provides a visual representation of the conditions which need to be met to achieve 'explicit consent'.