Skip to Main Content

Research Data Management

Make informed choices for research data. RDM, policy, practical guidelines, software and tools at VU Amsterdam. FAIR data, archiving, storage, publication

GDPR in Practice

European Data Protection Regulation (GDPR)

An important aspect of managing data is protecting the privacy of individuals who participate in research projects. The European General Data Protection Regulation (GDPR) and the Dutch Implementation Act for the General Data Protection Regulation (GDPR Implementation Act) regulate the protection of natural persons in the processing of personal data.

Important definitions

  • Personal data refers to any information relating to an identified or identifiable natural person (‘data subject’). See also the definition of 'personal data' according to the official text of the GDPR.
  • Data processing refers to any action performed on data, such as collecting, storing, modifying, distributing, deleting data. See also the definition of 'processing' according the official text of the GDPR.
  • Direct and indirect identification: Some identifiers enable you to single out an indiviual directly, such as name, address, IP-address etc. Individuals can also be identifed indirectly through:
    • a combination of information that uniquely singles out an individual (e.g. a male with breast cancer in a breast cancer registry, a pregnant individual over 50 etc.), this includes information in one record and information across different data files or datasets
    • unique information or patterns that are specific to an individual (e.g. genomic data, a very specific occupation, such as the president of a large company, repeated physical measurements or movement patterns that create a unique profile of an individual or measurements that are extreme and could be linked to subjects such as high-level athletes)
    • data that are linked to directly identifying information through a random identification code or number
  • Pseudonymous data: Data that are indirectly identifiable are generally considered to be pseudonymous; this means that they are NOT anonymous and still qualify as personal data. Therefore privacy laws, such as the GDPR, do in fact apply to these data. This is for example the case when direct identifiers are removed from the research data and put into a key file (or what is usually called a subject identification log in medical research) with which the direct identifiers can be mapped to the research data through unique codes, so that reidentification is possible. These data are therefore pseudonymous, and not anonymous. The LCRDM has made a reference card that illustrates the difference between pseudonymous and anonymous data.

Background information

Privacy in research - 10 key rules

Where research requires the collection of personal data, the researcher has to consider the main rules for personal data processing. These rules are summarised in the document Privacy in Research - 10 key rules.

VSNU Code of Conduct for using personal data in research

The VSNU's Code of Conduct for Research Integrity (Dutch, English, 2018) includes a reference to the GDPR and its Dutch implementation law UAVG. An updated Code of Conduct for Using Personal Data in Research which complies with GDPR is still work in progress.

Support within your faculty: Privacy Champions

Each faculty has one or more Privacy Champions, who are the first point of contact for questions relating to privacy and the GDPR. The Privacy Champions can help you with completing a Data Protection Impact Assessment, registering your research in the record of processing activities, designing informed consent forms and other questions relating to the GDPR. The list of Privacy Champions can be found on VUnet. It is important that you make an overview of what data you are collecting. Your privacy champion can help you with this.

The Privacy Champion of the Faculty of Behavioural and Movement Sciences has prepared a checklist for what to consider when creating an informed consent form. An important issue in informed consent forms, is the possible future (re-)use of the data..You should always ask your Privacy Champion for advice when drawing up an informed consent form.

Complete a Data Protection Impact Assessment (DPIA)

When scientific research includes the processing of personal data, conducting a Data Protection Impact Assessment (DPIA) may be a legal requirement under the General Data Protection Regulation (GDPR). If it is not a legal requirement, conducting a DPIA is always a helpful exercise to make sure that you address all legal aspects that need to be addressed. It is the best way to GDPR-proof your research.

What is a DPIA?

A DPIA is an assessment to identify the risks of processing personal data. It consists of a number of questions on the basis of which you determine whether the processing of personal data in your research project is legitimate and which measures should be taken to make sure this processing takes place within the boundaries of the GDPR. A DPIA doesn’t deliver an automatic report at the end, but it rather makes you think about all relevant topics you need to address before starting the processing of personal data. The outcome of a DPIA should be used to determine appropriate measures to mitigate the identified risks, such as data minimisation (not collecting more data than necessary), pseudonymising data, selecting appropriate tools for data storage and data sharing.

When is a DPIA required?

A DPIA is required when the processing of personal data is likely to result in a “high risk” for the participants of your research project. This is for example most likely the case when scientific research includes the processing of special categories of personal data, such as data concerning health, religious or philosophical beliefs, political opinions or criminal convictions and offences (see Privacy in Research - 10 key rules for more information about special categories of personal data).

There are two DPIA lists which describe situations in which a DPIA is required:

  • The Dutch data protection authority (Autoriteit Persoonsgegevens) has published a list of 17 “high risk” situations in which a DPIA is mandatory.
  • The European data protection authorities have together published a list of 9 criteria which can be used to determine whether there is a “high risk”.

The VU has developed a tool which combines these two DPIA lists. By completing this PreDPIA tool, you can determine whether a DPIA is required in your situation. You should consult your Privacy Champion when filling in the PreDPIA.

How can I complete a DPIA?

The VU has a DPIA template based on a form provided by the Dutch Government (see the original template if you wish to have more background information, only available in Dutch).

 

We advise you to use this template to complete a DPIA. Please complete a DPIA at least before you start collecting personal data. In some cases, it might be useful to have a look at the DPIA template at the stage of writing a research proposal.

 

If you are not sure whether it is required to conduct a DPIA or if you need help completing a DPIA, please contact your faculty’s Privacy Champion. If needed they can contact the legal specialists of Institutional and Legal Affairs.

Register your Processing Activities

If your research involves processing of personal data (see above for definitions of ‘processing’ and ‘personal data’), this needs to be registered in VU’s Record of Processing Activities (‘verwerkingsregister’ in Dutch).

How does registration of personal data processing work?

If you are doing research to which the GDPR applies (see the above section for when research data are personal data), then the VU needs to maintain a register of your processing activities. For research projects, the VU does this in DMPonline. You can create the registration by logging into DMPonline and clicking the Create Plans button. Fill out the preliminary questions and make sure you tick the box for "No funder associated with this plan or my funder is not listed". Then choose the second form. A screenshot with an example is below.
Please note: if you are using the VU's DMP template for your Data Management Plan, the GDPR registration happens automatically and you do not need to fill in the GDPR form separately.

Contact your faculty's Privacy Champion for help with filling out this form. If your research is primarly led by Amsterdam UMC, location VUmc, your research should be registered there.

Register before you start your data collection

If you use personal data in your research (irrespective of whether they are pseudonymised or not), you should report your data processing activities (see the official text from the General Data Protection Regulation, GDPR, for the formal definition of ‘processing’) as early as possible and at least before you start your data collection. If you are not sure whether the data you will collect includes information with which an individual could be directly or indirectly identified, please contact the Privacy Champion of your faculty. Get in touch with the Privacy Champion as well in the case of ongoing research which has not been registered yet, because the record of processing activities was not in place at the moment the research started.

GDPR

Under the GDPR, organisations like the VU and VUmc are obliged to have a central record of processing activities, which lists all personal data processing activities carried out in the organisation. This applies to business data as well as personal data used in scientific research. This record indicates why and how personal data are processed, and with whom they are shared. The register helps organisations to demonstrate compliance with the GDPR. In case of a data breach, the record of processing activities helps in monitoring and tracking those cases, and in acting swiftly to inform all relevant stakeholders.