Skip to ContentSkip to Navigation

Digital Competence Centre

your one-stop for research IT and data
Data Management

Privacy & Data Protection

Research projects often involve the processing of personal data. The General Data Protection Regulation (GDPR) challenges researchers to build compliance with data protection standards into their research plan. In “human subject research” the acquired data is often sensitive, carrying a risk to the freedom and rights of the individual research subjects. Apart from responsible research data management and protection, research of this type often also requires a Data Protection Impact Assessment (DPIA).

Data protection involves making plans in advance on:

  • data safety, this is to protect against data loss through storage (including backups) and archiving, and by good organization and documentation
  • data security, this is protection of data against unwanted changes or “leakage”, which can be achieved by controlling access to data and using secured infrastructure
  • data organization, protecting data from untraceability by systematic data arrangement

The DCC offers support on these topics and specific consultancy on:

General Data Protection Regulation (GDPR/AVG)

The processing of personal data in the GDPR broadly includes any operation or set of operations which are performed on personal data or sets of personal data, whether or not by automated means.

That includes collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“If you are responsible for processing personal data on behalf of your institution, you are accountable for what you do, why you do it and the way you do it. This means that you need to make sure that you not only comply with data protection laws, but that you can demonstrate this compliance. One way to demonstrate compliance is to document all processing operations which take place in your institution” [EDPS].

Do you want to know more about the GDPR in your research? Have a look at the GDPR guide.

Data Protection Impact Assessment (DPIA)

"The DPIA is a process designed to assess the data-protection impacts of a project, policy, programme, product or service and, in consultation with relevant stakeholders, to ensure that remedial actions are taken as necessary to correct, avoid or minimise the potential negative impacts on the data subjects." [European Commission, Ethics and data protection, 2018]

In brief a DPIA aims to:

  • map the data privacy risks in the project;
  • assess these risks; and
  • define protection measures to eliminate or mitigate the risks.


The Biker et al. method for DPIA is based on six protection goals:

  1. Confidentiality: ensures the protection against unauthorised and unlawful processing
  2. Integrity: ensures that data remain intact, complete, and up-to-date
  3. Availability: ensures that the data are available and usable in the intended process
  4. Unlinkability: ensures that data are processed and analysed only for the purpose for which they were collected
  5. Intervenability: provides the possibility for the data subjects to exercise their rights
  6. Transparency: is necessary for the monitoring and control of the data processing. Transparency ensures that data subjects and supervisory authorities can identify deficiencies and, if necessary, demand appropriate procedural changes.


Data minimisation is an additional protection goal. Data minimisation supports the principle of necessity, which requires that any process (collect, process and use) do not involve more personal data than necessary for the achievement of the purpose of the processing.

For more information about a DPIA for your research consult our guide.

Follow this online course to learn how to incorporate DPIA in your research.

Reusing sensitive data (secondary use)

A current situation in research is the re-use of personal data. That includes, for instance, data collected in the context of previous research projects, data collected by companies for running their business activities or data publicly available (e.g. data on social media).

The use of previously collected data may raise issues concerning the transparency of the processing, the rights and expectations of the data subjects. For that reason, it is essential to assess whether consent is required and/or which information should be provided to the data subjects.

Possible situations

The data were collected on the basis of consent. In this case, the data can be re-used only for the purpose(s) covered by the consent. Further processing not covered would require obtaining new consent or a new legal basis.

The data were collected on the basis of another legal ground, such as legitimate interest or a contract. In that case, the data may be re-used only after checking that the new purpose is compatible with the original purpose (compatibility test).

If you are using data from social media networks you must also ensure that your intended use of the data complies with any terms and conditions published by the network.

Compatibility test

The European Commission indicates some elements that should be considered to assess the compatibility between two purposes:

  • the link between the original purpose and the new/upcoming purpose
  • the context in which the data was collected
  • the type and nature of the data
  • the possible consequences of the intended further processing
  • the existence of appropriate safeguards (such as encryption or pseudonymisation)

Social media data

In the GDPR there is no distinction between public and private data, only between personal and non-personal data. All personal data processed systematically falls under the GDPR. Most of the social media data is defined as personally identifiable data under the GDPR.

Moreover, the processing of data from social media networks has to comply with any terms and conditions published by the network.

Before starting the processing of the data consult the checklist.

Technical and organisational measures for sharing and collaborating

As recognised in the general policy of the UG, it is a shared responsibility of the researcher, faculties and the central board to have appropriate technical and organisational measures for data protection. If you want to share sensitive data (such as personal information or company secrets) with a co-worker at UG or for collaboration outside the UG, make sure that the necessary technical measures and agreements for collaboration and sharing are in place.

Sensitive data protection requirements

  • Information may not be stored on transportable (personal) media*
  • Transport your data via UWP (the UG network) or make sure the connection is properly encrypted
  • Sensitive data must be protected against unauthorized access, i.e., by the means of strong encryption or multi factor authentication (MFA)
  • A proper system of access and privilege management of the users has to be in place
    (i) list of users, their rights and their role (a so-called Access Control List - ACL)
    (ii) twice a year check whether the access and control list is still valid.


* Thus, transportable media may not be used for sharing sensitive data.

Other safeguards include taking security measures, informing data subjects and recording written contractual agreements with processors. To reach ‘privacy by design’ for research, it needs to be recognised that there is no one size fits all. However, more and more building blocks of measures are available to fit into the diverse research scenarios. For very delicate research on sensitive data is also an option to choose for using a “digital/virtual research environment” designed specifically to protect your data.

Consult the guide on Privacy & Protection for more information on, for example, data encryption, informed consent and de-identification of personal data.

Last modified:27 January 2023 2.12 p.m.