A privacy scan is an initial risk assessment that helps you delineate how you will handle and protect the personal data in your research project (“a Data Management Plan for personal data”, also known as “pre-DPIA”, “DPIA-light”, or “privacy review”). It contains information on your research question(s), which personal data you process and from which data subjects, how you use the personal data (e.g., will you share them) and which protective measures you apply, your legal basis, how data subjects can exercise their data subjects’ rights, and a preliminary assessment of the risks for data subjects.
The purpose of a privacy scan is to:
- Make a preliminary assessment of the risks of your project for data subjects.
- Implement Privacy by Design and Privacy by Default into your project.
- Fulfil the principle of Accountability by documenting your project.
- Identify whether a full Data Protection Impact Assessment (DPIA) is needed.
When to use a privacy scan?
Whenever you use personal data in your project, we recommend to complete a privacy scan in consultation with your privacy officer to make sure your data are well protected throughout your project. As the privacy scan is a planning document, much like a Data Management Plan, it is preferable to fill it out as early as possible before you start collecting data, to prevent unforeseen or costly changes to the design of your research project.
- Treat the privacy scan as a living document: update it if anything changes
in your design.
- Retain the privacy scan as long as you retain personal data.
Note that there is some overlap in content with some Data Management Plans and research protocols (e.g., that of the CCMO). The privacy aspects in a privacy scan are just more extensive.