European Data Protection Regulation (GDPR)
The Privacy Champion of the Faculty of Behavioural and Movement Sciences has prepared a checklist for what to consider when creating an informed consent form. You should always ask your Privacy Champion for advice when drawing up an informed consent form.
When scientific research includes the processing of personal data, conducting a Data Protection Impact Assessment (DPIA) may be a legal requirement under the General Data Protection Regulation (GDPR). If it is not a legal requirement, conducting a DPIA is always a helpful exercise to make sure that you address all legal aspects that need to be addressed. It is the best way to GDPR-proof your research.
A DPIA is required when the processing of personal data is likely to result in a “high risk” for the participants of your research project. This is for example most likely the case when scientific research includes the processing of special categories of personal data, such as data concerning health, religious or philosophical beliefs, political opinions or criminal convictions and offences (see Privacy in Research - 10 key rules for more information about special categories of personal data).
There are two DPIA lists which describe situations in which a DPIA is required:
The VU has developed a tool which combines these two DPIA lists. By completing this PreDPIA tool (for now only available in Dutch), you can determine whether a DPIA is required in your situation.
We advise you to use this template to complete a DPIA. Please complete a DPIA at least before you start collecting personal data. In some cases, it might be useful to have a look at the DPIA template at the stage of writing a research proposal.
If you are not sure whether it is required to conduct a DPIA or if you need help completing a DPIA, please contact your faculty’s Privacy Champion. If needed they can contact the legal specialists of Institutional and Legal Affairs.
If your research involves processing of personal data (see above for definitions of ‘processing’ and ‘personal data’), this needs to be registered in VU’s Record of Processing Activities (‘verwerkingsregister’ in Dutch).
If you are doing research to which the GDPR applies (see the above section for when research data are personal data), then the VU needs to maintain a register of your processing activities. Contact your faculty's Privacy Champion for information on how to register your processing activities. If your research is primarly led by Amsterdam UMC, location VUmc, your research can be registered there.
If you use personal data in your research (irrespective of whether they are pseudonymised or not), you should report your data processing activities (see the official text from the General Data Protection Regulation, GDPR, for the formal definition of ‘processing’) as early as possible and at least before you start your data collection. If you are not sure whether the data you will collect includes information with which an individual could be directly or indirectly identified, please contact the Privacy Champion of your faculty. Get in touch with the Privacy Champion as well in the case of ongoing research which has not been registered yet, because the record of processing activities was not in place at the moment the research started.
Under the GDPR, organisations like the VU and VUmc are obliged to have a central record of processing activities, which lists all personal data processing activities carried out in the organisation. This applies to business data as well as personal data used in scientific research. This record indicates why and how personal data are processed, and with whom they are shared. The register helps organisations to demonstrate compliance with the GDPR. In case of a data breach, the record of processing activities helps in monitoring and tracking those cases, and in acting swiftly to inform all relevant stakeholders.