The GDPR in a Q&A

The General Data Protection Regulation protects the privacy rights of individuals and sets out responsibilities for those who process the personal data of others (European Union, 2016). It is therefore important to know: 

• What personal data are;
• What privacy rights are;
• What is meant by processing;
• What the responsibilities for the different roles are that the GDPR distinguishes in processing. 

And all this in the context of scientific research. 

In summary, there are many requirements with regard to the processing of personal data, but these must not only be complied with; they must be demonstrably complied with and therefore, this requires some form of reporting and administration. In the context of research, this fits in with a data management plan, supplemented, for example, by a Data Protection Impact Assessment (DPIA).

It is also important to realise that the GDPR uses open standards, which make it a general regulation which can be maintained for some time without having to be changed. The implementation of these open standards makes correct compliance with the GDPR difficult in concrete cases. For this reason, each institution has a data protection officer who can explain the GDPR in specific cases, often assisted by a larger privacy organisation. Compliance with the GDPR often involves finding the right balance between the exact wording of the GPDR and a legitimate interest on the part of the institution.

Furthermore, the GDPR is risk based. Risks are involved in the processing of personal data. It is therefore important to make an inventory of these risks (via a Data Protection Impact Assessment (DPIA), the instrument that the GDPR specifically appoints for this) and then to take appropriate technical and organisational measures that mitigate the identified risks, at the same time accepting possible residual risks and taking responsibility for them.

Finally, the GDPR protects the processing of personal data of individuals within the European Economic Area, also by companies or institutions from the USA or Asia, for example. These companies may be fined for non-compliance with the GDPR. Conversely, personal data of EU citizens may not simply be shared with countries outside the European Economic Area. This is a subject which you may not be aware of. So, know that this is the case and when it is the case, seek advice from your institution's privacy officer or data protection officer.

The answer to this question can be found in the AVG, Article 4:

• Personal data 
  Any information relating to an identified or identifiable natural person ('the data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more elements specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
• Genetic data 
  Personal data relating to the inherited or acquired genetic characteristics of a natural person which provide unique information on the physiology or health of that natural person and which are derived, in particular, from the analysis of a biological sample from that natural person.
• Biometric data 
  Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person which allows or confirms unique identification of that natural person, such as facial images or fingerprint data.

Privacy rights are:

• Right of access (GDPR, Article 15);
• Right of rectification (GDPR, Article 16);
• Right to data erasure ("right to be forgotten") (GDPR, Article 17);
• Right to limitation of processing (GDPR, Article 18);
• Right to be notified in case of rectification or erasure of personal data or restriction on processing (GDPR, Article 19);
• Right to data portability (GDPR, Article 20);
• Right of objection (GDPR, Article 21).

Article 4 of the GDPR states the following about the processing of personal data: 

'Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

The GDPR, Article 5, prescribes that you should adhere to the following six principles when processing personal data:

• Process lawfully, fair and transparent;
• Keep to the original purpose;
• Minimise data size;
• Uphold accuracy;
• Remove data which are not used;
• Ensure data integrity and confidentiality.

A controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

A controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

If data processing poses a high risk to the privacy of participants in an investigation, then - according to article 35 of the GDPR - it is necessary to carry out Data Protection Impact Assessment (DPIA). A DPIA is carried out to assess "the origin, nature, particularity and seriousness of the risk to the rights and freedoms of natural persons". The result of the assessment must be taken into account when determining the appropriate measures to process the personal data in order to reduce the privacy risks.

The Erasmus University has made a decision tree available with which you can determine whether a DPIA is mandatory (ERIM, 2018). 

Because of a combination of:

• the open standards of the GDPR,
• the penalties which may be imposed for failure to comply with the GDPR, and
• accountability, 

a great deal of awareness and training has been initiated at many institutions to clarify the open GDPR standards and to specify the minimum requirements for research, including the registration of research projects.

In addition, many DPIAs have been carried out and a great deal of work has been done on forms for obtaining consent and on agreements between cooperating research institutions in the form of joint controller agreements or data sharing agreements. Work was also done on formulating generic research scenarios in order to identify more generic risks and appropriate countermeasures. For examples, see a number of documents on SURFdrive  (Domingus, 2019).

Finally, people are eagerly looking for secure ways of sharing data within research groups, where access rights may be granted to known users at file or folder level, and where logging and monitoring of possible mutations in such an environment takes place.

In the worst-case scenario, the GPDR has brought institutions a lot of administration and the researchers and research support a lot of questions and uncertainty. The GDPR and its predecessor - the Personal Data Protection Act (Wet Bescherming Persoonsgegevens) -  have a lot in common. But there is one big difference. Now, with the GDPR, there is more supervision from a stronger national supervisor, who can impose high fines, and it is easier for individuals to file a complaint with the Personal Data Authority themselves.

Before, the main question to the GDPR was: 'Is that allowed?' and now the main question is more like: 'How are we - as an institution - to fulfil our obligations as set out in the GDPR?'. 

In 2017 and 2018, a great deal was copied from medical research. Informed consent forms, for example. Also, the DPIA of (NOREA, 2015) or the DPIA from the Dutch government (Rijksoverheid, 2017) were widely used for research, but all of these turned out to be inappropriate and had to be adapted to the specific context. (Here you will find a template for a kind of mini DPIA that we use within the Erasmus University (Domingus, n.d.)). 
Also, the standard processor agreements often turned out to be too extensive and the questions weren't very clear (Here you will find a template developed by the EUR, n.d.).

Most institutions now have a central place where information is available for researchers and research support staff, sometimes via a data steward or privacy officer. And some documents are also available via LCRDM, for example, templates for informed consent (LCRDM. n.d.a.).

A lot of specific questions are being asked, where in the beginning there were a lot of general questions. In addition, there is much more understanding and therefore also discussion about the legitimacy of research. Should research always be based on consent (not to be confused with informed consent that we know from human-related research)? There are also many questions about security aspects (encryption) and pseudonymisation and anonymisation. Unfortunately, there are still no unequivocal answers to many of these questions. This is also due to the fact that the national regulators, individually and collectively in the so-called European Data Protection Board, provide few guidelines for the interpretation of these issues. And it is still too early to learn from all kinds of rulings by the European Court, which can create clarity with regard to these issues.

In my opinion, there is a lot of concrete information to be found in the ISO standards dedicated to security  (IOS/IEC 27000 reeks) and to privacy (ISO/IEC 29100:2011, ISO/IEC 29101:2013 and ISO/IEC 20889:2018). But the actual application of such standards requires a process-based approach that is still a bridge too far for many institutions. The maturity of the support area is slowly moving from the exploratory phase to a more defined phase (Domingus, 2017). 

Ideally, research support works well together in the background and systems are used intelligently, so that the researcher has as little administrative burden as possible and receives something useful in return for the data he or she provides. For example, a realistic timeline for the entire research project with deliverables and how to get support for this.

National exchanges of best practices, such as via the platform of the National Coordination Point RDM (LCRDM, n.d.b.) and also directly between the data stewards and the privacy officers of the institutions. This often involves the specific interpretation of the obligations, the specific examples (of data management plans or DPIAs or agreements) and we will learn from this together. Basic understanding of the GDPR in training courses such as Essentials 4 Data Support certainly contributes to this.

The questions we have now will largely be captured in scenarios and standard measures. What remains is truly innovative research, in which the application of the open standards in that specific context of the research project needs to be clarified and fleshed out.

I also expect that different disciplines will draw up their own codes of conduct and enforce them. An example is the archiving guideline of the deans of the faculties of Social Sciences in the Netherlands and soon the VSNU Code of Conduct on the Processing of Personal Data in Scientific Research will be disclosed.

Try to link up with the network of experts within the institution (privacy, security, ethics, grant officers) and hook up with the national knowledge exchanges of LCRDM (n.d.b.). But first of all, try to see privacy as a force that researchers have to contend with and try to understand the researcher's position. The last thing they need is poor coordination of support services or unclear answers to clear questions. Because they have to deal with strict deadlines in their research projects.

There are three legal bases for research:

• The data subject has consented to the processing of his or her personal data for one or more specific purposes;
• The processing is necessary for the performance of a task carried out in the public interest or in the exercise of the public authority conferred on the controller;
• The processing is necessary to protect the legitimate interests of the controller or of a third party, except where the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data outweigh those interests, in particular where the data subject is a child;

For the processing of personal data or for the further processing (reuse of existing) of special categories of personal data, you could carry out lawful research on the basis of 'general interest' or 'justified interest' (the latter includes a risk assessment (a balancing test) that needs to be worked out). It does apply in all cases that good and clear communication to and with those involved in the research must be guaranteed, but this is different from research based on 'consent'. Permission is always required when special categories of personal data of data subjects are processed, because of the greater damage the data subjects may experience in their privacy rights and freedoms, when third parties have unauthorised access to these sensitive data.

Can you give an example of research that has not been carried out on the basis of consent? 

Yes, covert research in sociological research, for example  (Spicker, 2011). This is seen as a valid form of research. An example is a study into whether rich people are more dishonest than poor people. Envelopes with money in them were deliberately mis-delivered and it was checked how often the envelopes were returned to the sender. What turned out to be the case was that poor people returned the money a little earlier, but that was also because they generally had more time. If you had been informed in advance about the purpose of this research, you would get desired behaviour and not a reflection of reality.   

Currently, there is a lot of attention on 'open data' and 'FAIR' data in the context of the GDPR. The reasoning is often: the funder demands open data, so I should put the research data on the web, so these have to be anonymised - how should I anonymise? I attribute this misunderstanding to an excessively wide meaning of what 'open data' is or what can be understood by 'FAIR' data. I do not foresee any problems when research data are available for verification purposes or follow-up research via a data repository such as DANS EASY in restricted access. In this case data can still be accessed by certain target groups, but not by everyone. In this case data can be pseudonymised instead of anonymised. We know that anonymous data often loses its value, because the relevant data points, also known as quasi identifiers, have become meaningless.
 

The GDPR only applies to living EU citizens. Sometimes information about a deceased person also contains information about surviving relatives or other third parties and they, being alive, do have the right to protection of their privacy rights. In addition to the above legal answer, the question also contains an ethical aspect: even if you are allowed to process data of deceased persons outside the context of the GDPR - should you want this? And if so, can you substantiate this and explain it to the public?