10 steps towards privacy compliance in research

This upload contains a handout with an overview of steps that researchers should take when they process personal data in their research project – so it’s aimed at researchers and project managers who work with data directly or indirectly.

1. Keep the GDPR in mind when designing your research: Do you need to collect personal data, why, and how much?
2. Make sure you have a legal basis to use personal data, e.g., public interest or consent.
3. Document privacy risks and privacy-related decisions, e.g., in a Data Management Plan, privacy scan, or in a Data Protection Impact Assessment (DPIA).
4. Arrange ethics review. Ethics review makes sure that you have also taken ethical implications into account.
5. Inform participants properly, e.g., in an information letter, oral script, or in a privacy statement.
6. Protect your data with organisational measures, e.g., access control, agreements with external parties, data protection policies, or researcher training.
7. Protect your data with technical measures, e.g., anonymise, pseudonymise, encrypt your data, use safe storage.
8. Enable participants to exercise their rights, e.g., right to data access, correction, objection, erasure.
9. FAIR data: balance risks and Open Science principles, e.g., share under restricted access, or only share metadata and materials.
10. Ask for help when you need it! Contact your privacy officer or data steward for support.

Although this flyer was created for Utrecht University researchers and students, the steps are fairly generic and so reuse of this flyer in other institutes is encouraged. It has a CC BY 4.0 licence. You can find the PDF here.

Citation: Research Data Management Support. (2023). 10 steps towards privacy compliance in research (v2023.12.21). Utrecht University. https://doi.org/10.5281/zenodo.10417514