GDPR: what has changed with regard to the previous privacy legislation?
Although the main components of the previous privacy legislation are largely retained, the General Data Protection Regulation (GDPR) also introduces a number of important changes.
The former 'obligation to report' to the privacy commission was replaced with 'accountability' whereby you as the researcher must document the processing of personal data in your research in a register provided by the institution or organisation.
2. Data Protection Officer
Institutions and organisations must appoint a data protection officer to coordinate and monitor the implementation of the GDPR.
3. Data Protection Impact Assessment
When the processing of personal data in your research involves a probable high-risk processing (such as the processing of sensitive data, profiling, systematic monitoring, combining data sets, use of new technologies, etc.), you as the researcher must perform an additional risk analysis (data protection impact assessment).
4. Data security
When processing personal data, you as the researcher must meet higher data security requirements by using encryption and pseudonymisation.
5. Informed consent
As the researcher, you must meet new, stricter standards for informed consent if the processing of personal data is based on this legal basis.
You must make the lawfulness or legal basis for the processing of personal data known to the data subjects in a clear and transparent manner.
7. Notification obligation
If there is a breach with regard to personal data, you must report this as quickly as possible.
8. Transfer of personal data
If your research involves the transfer of personal data outside the European Economic Area (EEA) you will have to comply with the new GDPR guidelines.
9. Data Protection Authority
The Data Protection Authority (DPA) will be given the opportunity to carry out inspections and impose fines.
10. Data subject rights
In your research you will have to take into account the extended rights of data subjects, such as 'the right to be forgotten' or right to erasure' and the right to data portability.
Last modified March 30, 2020, 1:34 p.m.