Remember that you can carry out points 1 to 4 yourself.
You only need the assistance of an internal privacy expert for the DPIA.
There are various (often simple) measures you can take to maximise the privacy of data subjects involved in your research. An overview of these measures is available on the 'Quick wins' page.
A legal basis, such as consent or a legitimate interest, must exist in order for personal data to be processed in a study. You can view the six possible legal bases in this figure.
Build maximum privacy and data protection safeguards into your research plan from the earliest stages of development. This is referred to as 'Privacy by design'. And where possible, set all default settings to the most privacy-friendly option. This is referred to as 'Privacy by default'.
Comply with the six privacy principles, such as 'data minimisation' and 'transparency’, when processing personal data before, during and after the study. You can view the six privacy principles in this figure.
If you want to know exactly what technical and organisational measures you need to take to ensure the proper handling of personal data in a study, conduct a DPIA together with an internal privacy expert. A DPIA is a questionnaire that quickly maps out all possible privacy risks in a research plan. We will cover this in more detail on the 'DPIA' page.