What is a DPIA?
19 February 2026
Data…Person…I…am?
Data…People…in…Academia?
Data…Processing…is…Awesome?
Of course, a DPIA is none of the above. It is – in fact – a catchy acronym for what’s known as a Data Protection Impact Assessment. And just what does that mean, exactly?
Well, in essence, exactly what it sounds like; a process by which you, yes YOU: the researcher, calculates and analyses the level of risk attached to (or the impact of) the protection of the data you plan to use in your research, through which you can determine how to best minimise said risk appropriately.
A useful way to consider this might be to ask yourself the following:
On that note…
If you work with healthcare data, it’s extremely likely that you will almost always be using ‘high-risk’ data in your research. Most medical data, for example genetic data, or biometric data, particularly when used for identification purposes, are classified as ‘special category’ data underArticle 9 of UK GDPR1 (as part of the Data Protection Act of 2018). Special category essentially equates to sensitive, personal data for which the additional legal basis for their collection, processing, and retention is required.
TL;DR – rule of thumb: the more protection attached to the data, the higher the risk.
Whilst there is no set template for conducting a DPIA, options are available2, but the particular needs will vary from one research project to the next. This may seem quite laissez-faire but make no mistake – a DPIA is a legal obligation for the processing of data. Failure to do so can land you with a whopping fine (up to £8.7m!). So, this is serious business for serious people!
I’ll assume most of us made our way into the world of healthcare research along a spectrum of commonality as to the importance of people and their wellbeing. Whether working in a clinical capacity, or in data, or in academia, or in an administrative capacity, name a role – it should be obvious by now, but the rights and freedoms of the individuals whom we work with and for as health care professionals are paramount.
We’ve talked a lot about risk, but what exactly do we mean?
Yes, rights and freedoms, within which we can include protection against discrimination of any kind, financial and identity fraud, loss of the right to privacy, professional/reputational damage, and social or economic disadvantage, but there are less-concrete risks to consider, too; such as loss of public trust within society writ large (not just at the individual level) of the institution in which you conduct your research should something go wrong, e.g., an academic institution, or an NHS health board, etc. The domino-effect can ultimately lead to a lack of public trust in these institutions and make similar research more difficult to conduct for others – which we can all agree, is bad news all around for everyone from the researchers to the public themselves. *
Recital 753 is your friend, here.
* A slightly morose, but nonetheless important note is that when we are talking about rights and freedoms, we are referring to those of ‘natural persons’ – that is to say, people who are currently living. The same rights and freedoms do not apply to the deceased.
Evidence
Consider a DPIA an evidencing of this understanding; that all associated data of said persons be seen as an extension of the said persons, and the impact any misuse (however unintentional) of their data might have. You know, primum non nocere, or “First, do no harm” – or perhaps more realistically, weigh up the calculated risk (cost of potential harm) against potential patient benefit – and show your workings. *
*Trivia! – did you know, although primum non nocere is attributed to Hippocrates, it comes from the treatise ‘Of the Epidemics’ (Book I), not the Hippocratic Oath, itself. Honest, Google it!
Accountability
Completing a DPIA allows you to ‘forecast’ any potential difficulties with the processing of the data you need for your research ahead of time. It shows that you are serious about protecting the rights of your research participants, it shows your funders that you are legitimate and accountable, and helps others – whether your research participants, or the public, or potential collaborators, understand why – and importantly how – you intend to use this information.
- It’s good for your reputation.
- It’s good for building and maintaining rapport and trust with your research participants.
- It’s good for your continued professional development and understanding of patient needs and concerns.
- Heck, it’s good for your moral compass and a strong reminder that we can never separate the numbers from the people they represent.
Moreover, the forward thinking a DPIA encourages means you could negate any potential upset during your research before it arises, perhaps even reduce the costs of your research, ensuring you collect and process only the data absolutely necessary, saving you both time and money in the long run.
Evaluate, then re-evaluate!
DPIAs need not be static and rather viewed as frameworks that can be referred to at any point and amended where necessary to ensure you remain accountable to the interests of your participants throughout. Don’t be afraid to revisit your DPIA if for some reason the research necessitates a different path; this is an opportunity to reevaluate the risks of the data required – seek engagement from your participants and collaborators. Have those crucial discussions and stay transparent.
You may find that a new software is introduced which might speed up your processing requirements; great! But what are the risks of using this software; are you required to share the data for off-site processing (e.g., involving a third party) – do you need another data processing agreement? Is this a well-established software developer with a robust professional reputation? What security measures do they have in place for the protection of the data they process on your behalf? You get the idea…
References