General Data Protection Regulation (GDPR)

When you process personal data in your research, you have to take into account the rules of the General Data Protection Regulation (GDPR).

The GDPR, which has been is in force since 25 May 2018, modernised the existing privacy legislation. It creates a uniform European legal framework and gives citizens/data subjects more control over the processing of their personal data. The GDPR requires organisations to be transparent and responsible regarding citizens/data subjects, especially about how and why they process personal data.  

The GDPR provides that EU Member States can draw up national legislation for certain areas and exceptions. In Belgium, the Law on the protection of natural persons with regard to the processing of personal data was published in the Belgian Official Gazette on 5 September 2018.

What are personal data?

Personal data is any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier, or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural, social …identity of a natural person.  

Indirect identifiers, or Combinations thereof, may also lead to identification and are therefore also personal data. 

Why is it important to comply with this legislation?

If you process personal data, part of your job is to protect the rights and freedoms of data subjects in accordance with the GDPR.  

In addition, there are a number of other important reasons for applying the GDPR rules meticulously in your research: 

• Careful handling of data increases the quality and reliability of your research and the research results. 
• Careful handling of data retains the confidence of citizens in scientific research. 
• A violation of the law can lead to reputational damage and negative media attention for your institution, your department and yourself as a researcher, and can also lead to heavy fines. 
• Compliance with the GDPR is often explicitly imposed by research funders (such as Horizon Europe, ERC, FWO) or even described as a work package (deliverable) in a project. 
• When publications are submitted, journals are also increasingly asking for compliance with the GDPR. 

General principles

The GDPR is based on six basic principles, which you have to take into account when processing personal data before, during and after your research. 

1. Lawfulness, fairness and transparency: You are obliged to process personal data in a transparent manner with respect for all applicable laws, regulations and rules. 
   Lawfulness means that you have to collect and process personal on a legitimate legal basis or legal ground.
   Fairness means that your collection and processing of personal data should be in the best interests of the data subject and that the extent of the data processing can reasonably be excepted by the data subject.
   Transparency means that you have to inform the data subjects about the legal basis, what personal data you will collect and process and why you will collect and process these specific personal data (e.g. in an information sheet).
   The data subjects have certain rights which they can assert regarding the processing of their personal data. 
2. Purpose limitation (finality and proportionality): You can only process personal data for your particular research purpose, and the processing has to be reasonable and proportional for achieving the research goals. As far as possible you have to inform the data subject about possible future use of the personal data, for other purposes or research projects.
3. Data minimisation: You may only use the personal data necessary to achieve the objectives of your research.
4. Accuracy: The personal data that you process must be accurate.
5. Storage limitation: The personal data that you process may not be kept longer than necessary for your current research or for possible further analyses of data.  
6. Confidentiality and integrity: As a researcher you must handle personal data confidentially and take appropriate technical and organisational measures to guarantee the confidentiality and integrity of the data, so that they are protected, among other things, against unauthorised or unlawful processing and against accidental loss, destruction or damage. 
   Pseudonymisation (and if possible anonymisation) and encryption are important safety measures you can take to guarantee the confidentiality of the data. Confidentiality and integrity is also an important concern when sharing personal data with other researchers or institutions, whether or not they are part of your research project. When drafting your research design, you have to determine who should have access to the data and which measures should be taken into account to protect the data (also when sharing these data). 

The GDPR leaves sufficient room to process personal data for scientific research. Article 89 of the GDPR allows derogation from the right of access, for example, where this would render impossible or seriously impair the achievement for the research objectives.  

Self-accountability: self-accountability applies as a general principle. You must be able to demonstrate that you comply with the principles set out above. For this, it is important to ask yourself the following questions: 

• At the start of my research, did I thoroughly consider and document the privacy aspects of my research? 
• Am I able to demonstrate that I have actively taken responsibility for processing personal data in a secure manner?