GDPR: how do I register personal data processing activities?

Introduction

The General Data Protection Regulation (GDPR, known as AVG in Dutch) requires that all activities concerning the processing of personal data at UGent are documented and registered in a 'register of processing activities', the GDPR Register.

This internal registration replaces the former 'obligation to report' with the Privacy Commission, and is an essential tool to help researchers comply with the GDPR principle of accountability.

For research, this registration is integrated within the UGent policy on Research Data Management (RDM). Researchers have to register their processing activities, for which they need to complete a specific Data Management Plan (DMP) via the online planning tool DMPonline.be (see below).

When to register processing activities?

New processing activities

The registration must be done for each new processing activity, i.e. at the start of each new research project where personal data are processed (or the phase in the project where personal data are processed), and this before the start of the actual data collection/processing.

Existing processing activities

Existing processing activities must also be registered. This means ongoing research projects, whether they started before or after 25/05/2018 (i.e. the day on which the GDPR came into force).

Updates

In addition, it is important to keep the information regarding the registered processing activities up to date during the duration of the research project.

Where and how to register processing activities?

Use the templates in the online tool DMPonline.be

DMPonline.be contains a number of templates for drafting a Data Management Plan (DMP). DMP templates are essentially online forms with questions about various aspects of data management, and can also contain a series of GDPR questions. As a UGent researcher you can meet the required internal registration of processing activities by creating a DMP in the tool in which you complete these mandatory GDPR questions.

  • when creating a new DMP in the tool, you first have to indicate whether or not you will process personal data. If so, only the templates that contain the GDPR questions will be available to you (templates can be linked to UGent - or a subgroup within the university, e.g. a faculty - , or to external funders such as FWO, European Commission etc.)

There are in fact two possible routes for documenting and registering processing activities via DMPonline.be:

  1. if you want or have to prepare an extensive DMP for a research project, for example for an external funder, you can at the same time also register your processing activities by using a GDPR-compatible template (i.e. a DMP template where the GDPR questions are included because you indicate that you will process personal data)
  2. if you are not writing an extensive DMP, but merely need to register processing activities with regard to personal data, you can use the specific UGent template 'GDPR record'. It only contains the GDPR questions and is available when you indicate that you (will) process personal data

How to proceed?

Logging in

Creating a new DMP

  • create a new DMP via the 'Create plan' menu
  • in the 'Create a new plan' wizard, enter the correct title of the research project (mandatory) for which you want to write the DMP/register the processing activities, and select the 'I will process personal data' option to ensure that you get a template that includes the GDPR questions
  • then go through the rest of the wizard to choose a suitable template (i.e. the UGent ‘GDPR record’ template, or another GDPR-compatible template)
    • select an external funder from the list, or choose ‘not applicable/not listed’ if you are not writing a DMP for a funder/your funder is not included in the list
    • UGent is pre-selected as your organisation, so that you see UGent guidance, as well as the UGent ‘GDPR record’ template (or any other GDPR-compatible institutional templates) in case an external funder is not applicable/not (yet) listed

Completing the DMP

  • in the newly created DMP, complete the 'plan details' (i.e. basic information about the research project):
    • the person creating the DMP is automatically entered in the plan details as the 'Principal Investigator/Researcher' of the research project. You can modify this if necessary via 'Add/Remove collaborators'. In the same way you can also specify an additional contact person for the DMP where appropriate. If you are not the main supervisor of the project, do not forget to add your supervisor as 'Principal Investigator' and change your own role to 'Data Contact' for the plan
  • answer the questions in your plan. Questions are grouped in sections. To register your processing activities with regard to personal data, you must in any case fill in the mandatory GDPR questions in the tool.

Access Data Protection Officer

  • the Data Protection Officer of UGent has automatic access to your plan in DMPonline.be (via the 'Share' tab you can see who has which access rights to your plan, and you can also give other people access)

Exporting the DMP

  • you can export your DMP from the tool in various file formats (.docx, .pdf, .txt), e.g. when you want to save a milestone version of your DMP or formally submit it to a funder, to the Research Co-ordination office, etc. When drafting an extensive DMP, you can choose via the export settings whether the GDPR questions should be included in the export document (this may, for example, depend on where you want to submit your DMP). To actually register your processing activities, in principle all you have to do is fill in the GDPR questions in the online tool - you do not have to export and submit a DMP document yourself

Keeping the DMP up to date

  • keep your DMP, and in particular the GDPR questions, up to date in DMPonline.be during the course of your research project (via the 'View plans' menu you can see a list of already created plans which you can then edit further).

A more detailed manual for the use of DMPonline.be can be found in the research tip: DMPonline.be: how do I write a Data Management Plan?

More information

Attachments

More tips

Translated tip


Last modified March 30, 2020, 1:36 p.m.