How can you comply with the GDPR?
General Data Protection Regulation
Introduction
The General Data Protection Regulation (GDPR) is a European legislation that lays down rules relating to the protection of natural persons with regard to the processing of personal data. The Dutch Implementation Act for the GDPR (UAVG) describes the implementation of the GDPR for the Netherlands.
Definitions
- Personal data refers to any information relating to an identified or identifiable natural person (‘data subject’). See also the definition of ’personal data’ according to the official text of the GDPR.
- Data processing refers to any action performed on data, such as collecting, storing, modifying, distributing, deleting data. See also the definition of ‘processing’ according the official text of the GDPR.
- Direct and indirect identification: Some identifiers enable you to identify an indiviual directly, such as name, day of birth and home address. Individuals can also be identifed indirectly. For example via:
- a combination of information that uniquely singles out an individual (e.g. a male with breast cancer in a breast cancer registry, a pregnant individual over 50 etc.), this includes information in one record and information across different data files or datasets
- unique information or patterns that are specific to an individual (e.g. genomic data, a very specific occupation, such as the president of a large company, repeated physical measurements or movement patterns that create a unique profile of an individual or measurements that are extreme and could be linked to subjects such as high-level athletes)
- data that are linked to directly identifying information through a random identification code or number
- Pseudonymous data: Data that are indirectly identifiable are generally considered to be pseudonymous; this means that they are NOT anonymous and still qualify as personal data. Therefore, the GDPR applies to these data. This is for example the case when direct identifiers are removed from the research data and put into a key file (or what is usually called a subject identification log in medical research) with which the direct identifiers can be mapped to the research data through unique codes, so that reidentification is possible. These data are therefore considered to be pseudonymous data for the research institution and not anonymised data. LCRDM (National Coordination Point Research Data Management) has made a reference card that illustrates the difference between pseudonymous and anonymous data.
Background information
Privacy in research - Privacy five-step plan
Where research requires the collection of personal data, the researcher has to follow the Privacy five-step plan to make sure to carry out the research in line with the GDPR.
VSNU Code of Conduct for using personal data in research
The VSNU’s Code of Conduct for Research Integrity (Dutch, English, 2018) includes a reference to the GDPR and its Dutch implementation law UAVG. An updated Code of Conduct for Using Personal Data in Research which complies with GDPR is still work in progress.
Support in your faculty: Privacy Champions
Each faculty has one or more Privacy Champions, who are the first point of contact for questions relating to privacy and the GDPR. The Privacy Champions can help you with completing a Data Protection Impact Assessment, registering your research in the record of processing activities, designing informed consent forms and other questions relating to the GDPR. The 🔒 list of Privacy Champions can be found on the VU website.
More information
On the VU page Working with personal data, you can find more information about how VU Amsterdam protects personal data.
Complete a Data Protection Impact Assessment (DPIA)
When scientific research includes the processing of personal data, conducting a Data Protection Impact Assessment (DPIA) may be a legal requirement under the GDPR. If it is not a legal requirement, conducting a DPIA is always a helpful exercise to make sure that you address all legal aspects that need to be addressed. It is the best way to GDPR-proof your research.
What is a DPIA?
A DPIA is an assessment to identify the risks of processing personal data. It consists of a number of questions on the basis of which you determine whether the processing of personal data in your research project is legitimate and which measures should be taken to make sure this processing takes place within the boundaries of the GDPR. A DPIA doesn’t deliver an automatic report at the end, but it rather makes you think about all relevant topics you need to address before starting the processing of personal data. The outcome of a DPIA should be used to determine appropriate measures to mitigate the identified risks, such as data minimisation (not collecting more data than necessary), pseudonymising data, selecting appropriate tools for data storage and data sharing.
When is a DPIA required?
A DPIA is required when the processing of personal data is likely to result in a “high risk” for the participants of your research project. This is for example most likely the case when scientific research includes the processing of special categories of personal data, such as data concerning health, religious or philosophical beliefs, political opinions or criminal convictions and offences (see Privacy in Research - 10 key rules for more information about special categories of personal data).
There are two DPIA lists which describe situations in which a DPIA is required:
- The Dutch data protection authority (Autoriteit Persoonsgegevens) has published a list of 17 “high risk” situations in which a DPIA is mandatory.
- The European data protection authorities have together published a list of 9 criteria which can be used to determine whether there is a “high risk”.
You should consult your 🔒 Privacy Champion to determine whether a PreDPIA is required in your situation.
How can I complete a DPIA?
VU Amsterdam has a DPIA template based on a form provided by the Dutch Government (see the original template if you wish to have more background information, only available in Dutch).
You should request the template from your 🔒 Privacy Champion.
Please complete a DPIA at least before you start collecting personal data. In some cases, it might be useful to have a look at the DPIA template at the stage of writing a research proposal.
If you are not sure whether it is required to conduct a DPIA or if you need help completing a DPIA, please contact your faculty’s 🔒 Privacy Champion. If needed they can contact the legal specialists of Institutional and Legal Affairs.
Agreements
If, in addition to the VU, another party is involved in data processing, in most cases an agreement must be set up to regulate the rights and obligations of all parties involved. This means that if you are collaborating with other universities, medical centres, companies, etcetera, an agreement has to be drawn up. This is also true if you would like to use software that stores personal data and for which VU Amsterdam doesn’t have an agreement yet. If these things apply to your research, please reach out to your faculty’s 🔒 Privacy Champion for support.
Legal ground
Personal data are only allowed to be processed with a suitable legal ground. For research, the most commonly used legal ground is informed consent. Please make sure that your consent procedure meets the requirements of the GDPR.
An important issue in informed consent forms, is the possible future (re-)use of the data. The Privacy Champion of the Faculty of Behavioural and Movement Sciences prepared a checklist for what to consider when creating an informed consent form. You should always ask your 🔒 Privacy Champion for advice when drawing up an informed consent form.
Reusing existing data
If you like to reuse existing data containing personal data, you need a legal ground as well. Since determining what is allowed to do with existing personal data (e.g. does the original consent cover reuse, should you ask for consent again) can be complex, you should always aks your 🔒 Privacy Champion for help in situations like this.
Privacy statement
The GDPR requires us to be transparent about how we handle personal data. For scientific research you need to draw up a specific statement for your particular study. The GDPR imposes requirements on what must be included in a privacy statement. VU Amsterdam has a model privacy statement available in Dutch and English that meets these requirements. You can contact your faculty’s 🔒 Privacy Champion for this.
Regiser your processing activities
If your research is subject to the GDPR, then you need to register information on your research in a central VU registry. This central registry lists all personal data processing activities carried out at VU Amsterdam. The registry indicates why and how personal data are processed, and with whom they are shared. The registry helps VU Amsterdam demonstrate compliance with the GDPR and in the case of a data breach, the registry helps with monitoring and acting swiftly to inform all relevant stakeholders.
For research projects, VU Amsterdam registers data processing via DMPonline. You can create your registration by logging into DMPonline and following the following instructions:
- On your dashboard, click on
Create plan
. - Enter the title of your research project (you don’t have to select the check box for mock testing).
- Select
Vrije Universiteit Amsterdam
as your primary research organisation. - For the question on primary funding organisation, select the check box on the right, saying that no funder is associated with your plan.
Once you have completed the steps above, you will see two VU templates. You can fill in the VU DMP template 2021 v1.4
if you need to write a DMP anyway; the information you include in this DMP template will be used for the registry. If you don’t need to write a (new) DMP, you can use the separate VU GDPR registration form for research v1.1
. Your faculty’s 🔒 Privacy Champion can help you with your registration.
If your research is primarily led by Amsterdam UMC, location VUmc, your research will be registered using their own separate system.
Register before you start your data collection
If you use personal data in your research, you should register your data processing activities before you start data collection. If you are not sure whether your research data are subject to the GDPR, contact your faculty’s 🔒 Privacy Champion. Your privacy champion can also assist you if your research is already running, but has not yet been registered.
Data breach incident report
Any data security breaches (particularly those that have, or are likely to have, serious adverse consequences to the protection of personal data) should be reported immediately to the IT Servicedesk. Read the 🔒 protocol reporting a data breach.
Support
The Privacy five-step plan explains the steps you must take before you start a new research with personal data.
On the VU page Working with personal data, you can find more information about how VU Amsterdam protects personal data.
For all questions relating to privacy and the GDPR, please contact your faculty’s 🔒 Privacy Champion.