GDPR: what has changed with regard to the previous privacy legislation?

Although the main components of the previous privacy legislation are largely retained, the General Data Protection Regulation (GDPR) also introduces a number of important changes.

1. Accountability

The former 'obligation to report' to the privacy commission was replaced with 'accountability' whereby you as the researcher must document the processing of personal data in your research in a register provided by the institution or organisation.

2. Data Protection Officer

Institutions and organisations must appoint a data protection officer to coordinate and monitor the implementation of the GDPR.

3. Data Protection Impact Assessment

When the processing of personal data in your research involves a probable high-risk processing (such as the processing of sensitive data, profiling, systematic monitoring, combining data sets, use of new technologies, etc.), you as the researcher must perform an additional risk analysis (data protection impact assessment).

4. Data security

When processing personal data, you as the researcher must meet higher data security requirements by using encryption and pseudonymisation.

5. Informed consent

As the researcher, you must meet new, stricter standards for informed consent if the processing of personal data is based on this legal basis.

6. Lawfulness

You must make the lawfulness or legal basis for the processing of personal data known to the data subjects in a clear and transparent manner.

7. Notification obligation

If there is a breach with regard to personal data, you must report this as quickly as possible.

8. Transfer of personal data

If your research involves the transfer of personal data outside the European Economic Area (EEA) you will have to comply with the new GDPR guidelines.

9. Data Protection Authority

The Data Protection Authority (DPA) will be given the opportunity to carry out inspections and impose fines.

10. Data subject rights

In your research you will have to take into account the extended rights of data subjects, such as 'the right to be forgotten' or right to erasure' and the right to data portability.

More information

More tips

Translated tip


Last modified March 30, 2020, 1:34 p.m.