A DPC toolkit for vulnerable people
Reading time: 4 mins
Background
On 31 July 2025, the Data Protection Commission (DPC) launched the Adult Safeguarding Toolkit. This resource is designed to guide organisations and professionals who process the personal data of vulnerable or ‘at-risk’ adults. The toolkit aims to ensure compliance with data protection legislation while promoting best practices for safeguarding sensitive information.
The toolkit aligns with the DPC’s Regulatory Strategy 2022–2027, which prioritises a consistent approach to data protection, the promotion of equality, the prevention of discrimination, and the protection of vulnerable groups’ data. The toolkit sits alongside the DPC’s guidance for safeguarding children’s rights [ see our RDJ insight on data protection toolkit for schools ] and was developed in close collaboration with stakeholders in the safeguarding sector, including the HSE, Sage Advocacy, and Safeguarding Ireland. The primary focus is to support staff in healthcare and social care settings in making informed decisions about data processing, data sharing with third parties, and handling information related to criminal offences.
Defining ‘Vulnerable’ and ‘At-Risk’ Adults
The toolkit adopts a broad definition of ‘vulnerable’ and ‘at-risk’ adults:
“A person who, by reason of their physical or mental condition or other particular personal characteristics or family or life circumstance, is in a vulnerable situation and/or at risk of harm and needs support to protect themselves from harm at a particular time.”
This definition encompasses individuals with physical or mental conditions, young adults with additional needs, victims of domestic violence, coercive control, financial abuse, or trafficking, and those experiencing homelessness.
Legal Considerations
Article 5 of the GDPR sets out the core principles for processing personal data, with lawfulness, fairness, and transparency at its heart. ‘Processing’ covers any operation performed on personal data, including collection, recording, storage, sharing, or use. When processing personal data relating to a vulnerable person, you are expected to go further than standard GDPR compliance.
The toolkit provides article-by-article guidance on GDPR compliance, clarifying when sensitive data may be shared—such as with consent, in performance of a contract, to comply with a legal obligation, or for vital, public, or legitimate interests. Where legitimate interest is relied upon a detailed balancing test must be carried out to show that the rights of the individual are not overridden.
Organisations processing such data must ensure a lawful basis for processing under Article 6 and use a risk-based approach that considers the nature, scope, context, and purpose of processing. If processing health , biometric, ethnicity or other sensitive data, controllers must also meet the requirements of Article 9, such as health care provisions, public interest in safeguarding , vital interests or defence of legal claims . It is important to align risk assessment with other relevant safeguarding laws in place such as the Children First Act 2015. There is also a higher expectation to have enhanced security measures in place as breaches could have a potential for greater harm for vulnerable individuals. Security like encryption, restricted access, and staff training should be considered. In line with the principle of accountability under data protection law, controllers should keep a record of the decision-making process to protect both sides.
Practical Resources
The toolkit includes practical templates and examples to help organisations implement mandatory data protection measures. Notably, it provides:
- Guidance on conducting balancing exercises and weighing the need for the processing against the individual’s rights. This requires stricter controls to ensure controllers consider the purpose/ necessity of the processing, the impact to the individual of such processing and the safeguards in place to mitigate the risk.
- A sample Data Protection Impact Assessment (DPIA) template to help identify and mitigate risks early. A DPIA for vulnerable persons should go further than a standard DPIA and pay special attention to power imbalances and reduced autonomy. It is vital that it is documented why the processing is in their best interest and ensure that extra safeguards and transparency is built into the process.
- Checklists for data sharing and risk-based assessments to protect both the individual’s rights and the decision made by an organisation to ensure it’s lawful, necessary and proportionate.
- A section on drafting Privacy Policies. Again, this should go further than your standard privacy policy and explain clearly why the data is collected, what special safeguards are in place and how the rights are supported with formats adopted for accessibility.
Conclusion
The intention of the toolkit is for organisations to have the tools and knowledge to safeguard personal data and uphold the rights of vulnerable individuals. It is intended to empower both data controllers and data subjects to engage confidently with their obligations and rights as the digital landscape evolves.
RDJ’s data protection team regularly deal with queries from clients in relation to data subject rights. GDPR is often used as a blanket refusal when processing such data without considering other lawful bases and proportionality. There can be a natural reluctance and concern when processing personal data relating to a vulnerable individual which sometimes results in paralysis in decision making that can potentially put the vulnerable person at more risk. The toolkit reassures controllers of such data that GDPR is not to be used as a barrier. The key aspect is to act proportionally and document the lawful basis and reasoning for processing and the toolkit provides the means to do so.
Please do not hesitate to contact Jennifer Noctor and Lisa Mannion for further advice and guidance in this area.