GDPR: how do I register personal data processing activities?
Why register processing activities?
The General Data Protection Regulation (GDPR, known as AVG in Dutch) requires that all activities concerning personal data processing at UGent and UZ Gent are documented and registered in a 'register of processing activities', the GDPR Register.
This internal registration replaces the former 'obligation to report' with the Privacy Commission, and is an essential tool to help researchers comply with the GDPR principle of accountability.
When to register processing activities?
New processing activities
Registration must be done for each new processing activity, i.e. at the start of each new research project that processes personal data (or the phase in the project that processes personal data), and this before the start of the actual data collection/processing.
Existing processing activities
Existing processing activities must also be registered. This applies to ongoing research projects, whether they started before or after 25 May 2018 (i.e. the day when the GDPR came into force).
In addition, it's important to keep the information regarding the registered processing activities up to date for the duration of the research project.
Where and how to register processing activities?
For research, researchers can register their processing activities while creating their Data Management Plan (DMP), because entering information into the GDPR register can be done through the DMPonline.be interface.
Use the templates in the online tool DMPonline.be
A DMP obligation may exist, but doesn't apply to all projects. It's currently the case for all PhDs started since 2020-2021 and/or if the research funder requires it (e.g. FWO, Horizon 2020, Horizon Europe, BOF, etc.). If it's not mandatory, it's still good practice to draft a plan describing how you will manage your research data.
- More information about the Ghent University policy regarding Data Management Plans
- More information about the requirements of external funders regarding Data Management Plans
Additionally, there's the mandatory registration of all research projects that process personal data. This registration also requires the use of DMPonline.be. To this end, you (only) fill out the part ‘GDPR record’ and if necessary ‘DPIA’, or you create an item of the type ‘GDPR record’, which only contains these sections.
Hence, there are two possible routes for documenting and registering personal data processing activities via DMPonline.be:
- If you want or have to prepare a DMP for a research project, e.g. for an external funder, you can also register your processing activities at the same time .
- If you're not writing a DMP or there's a separate DMP already, and you only need to register processing activities with regard to personal data, you can select the UGent/UZ Gent template 'GDPR Record (EN)' or 'AVG Record (NL)'.
In case your existing DMP doesn't contain a GDPR record tab, it's not possible to add one. Instead, you should go for option 2 described above.
How to proceed?
- Log in with your UGent or UZ Gent account at https://dmponline.be.
Creating a new plan
- Create a new entry by clicking 'Create plan'.
- In the 'Create a new plan' page, enter the correct title of the research project for which you want to write the DMP/register the processing activities.
- Leave Ghent University (UGent) as 'primary research organisation'. Templates for UZ Gent and UGent are both maintained and provided by this 'research organisation'.
- Then go through the rest of the form to choose a suitable template (i.e. the UGent/UZ Gent ‘GDPR Record (EN)’ or 'AVG Record (NL)' template, or a GDPR-compatible DMP template). Select an external funder from the list, or choose ‘no funder associated with this plan or not listed’ if you're not creating a DMP for a funder/your funder isn't included in the list.
Completing the plan
- In the newly created plan, complete the 'Project details' (i.e. basic information about the research project):
- the person creating the plan is automatically entered in the plan details as the research project's 'Creator' . If necessary, you can modify the contribution roles via the 'Share' tab. Similarly, you can also specify an additional contact person for the DMP where appropriate. If you're not the main supervisor of the project, don't forget to add your supervisor as 'Principal Investigator' and change your own role to 'Data Manager' or 'Project Administrator' for the plan.
- Answer the questions in your plan. You can find them by navigating to the tabs next to 'Project details':
- to register your processing activities with regard to personal data, you must at the very least fill in the mandatory GDPR questions under the tab 'GDPR Record' or 'AVG Register'.
- in case your research constitutes a probable high-risk processing of personal data, you'll also need to conduct a Data Protection Impact Assessment (DPIA) or Gegevensbeschermingseffectbeoordeling (GEB) by answering the questions under the ‘DPIA’ or ‘GEB’ tab.
- if you're writing a DMP in addition to registering your personal data processing activities/conducting a DPIA, you'll also find a ‘DMP’ tab with questions to help you draft your DMP.
Access Data Protection Officer
- The Data Protection Officer of UGent (firstname.lastname@example.org)/ UZ Gent (email@example.com) has automatic read-only access to your plan in DMPonline.be, as one of the admins of the application.
Exporting the plan
- You can export each individual component of your plan (GDPR Record, DPIA, DMP) from the tool in various file formats (.docx, .pdf, .txt), e.g. when you want to save a milestone version, or when you want to formally submit a document to a funder, to the Research Co-ordination office, to your ethics committee, etc.
- However, to actually register your processing activities in order to comply with the GDPR, in principle all you have to do is fill in the GDPR questions in the online tool - you don't have to export and submit a document for this yourself.
- Please note: if you need or want advice from an ethics committee for your research, your application for ethical approval does require submitting your GDPR Record document for admission. In this case, you'll have to export a document from the tool yourself.
Keeping the plan up to date
- Keep your plan, and in particular the questions under the 'GDPR Record' tab, up to date in DMPonline.be during the course of your research project. Via 'My Dashboard' you can see a list of existing plans which you can then edit further.
A more detailed manual for the use of DMPonline.be can be found in the research tip: DMPonline.be: how do I write a Data Management Plan?
Last modified Sept. 25, 2023, 9:21 a.m.