Researchers should first identify the goal of their activity (e.g., to perform a theoretical study, to develop a biometric system, to test an existing one, etc.). This is an important step not only to define the purposes for which personal data will be collected, but also to help researchers identify if the activity qualifies as ‘research’ and, consequently,if the specific legal provisionsfor research activities apply.Article 89.2 GDPR, for instance,introduces several derogations for processing of personal data in the context of research.In particular, the article acknowledges that certain data subjects’ rights (right of access, right to rectification, right to restriction, right to object. For more information see section ‘Data subjects’ rights’ in these Guidelines) would make it harder or impossible for some research to achieve its goals. Therefore, it provides derogations from these rights when two criteria are satisfied. First, the exemption shall be explicitly provided for by Member States or Union law. This means that, in addition to the GDPR provisions, researchers can be exempt from the obligation to comply with such rights only insofar as there are specific legal grounds in a national law or in EU law other than the GDPR (see section ‘Identify the most appropriate legal basis’). Second, the researchers shall implement appropriate technical and organizational measures to safeguard the rights and freedoms of data subjects, as required by Article 89.1 GDPR. Given the potential compliance impact for the research activity, it is important to assess immediately if the activity qualifies as ‘research’.
A correct scoping of the activities is also necessary for researchers to understand the data protection risks linked to the research. For instance, systems to be used in healthcare or law enforcement are likely to require more accurate outcomes than ones employed for leisure activities (such as music streaming services). Since the accuracy of a system might in certain cases be dependent on the quantity of personal data to be processed (e.g., during the training of an AI algorithm), the need for more accuracy might introduce more data protection risks. Researchers should identify with clarity what level of accuracy the system will have to satisfy and define strategies to ensure that such accuracy is reached by introducing the lowest risk level possible, for instance by limiting the amount of personal data processed (see ‘Data Minimization’ subsection in the Principles Part of these Guidelines).
Last, but not least, researchers need to understand their role and the roles of other actors involved. Researchers have to look at their involvement in the expected data processing to understand if they (i.e., the entity they work for) are the entities with the main responsibilities over the data processing (data controller), if they share the data controller role with other entities (joint controller), or if they process data on behalf of other entities (data processor). Different roles involve different distribution of responsibilities and liabilities (see the “Main Actors” section in the General Part of these Guidelines).