GDPR: how do I register personal data processing activities?
Why register processing activities?
The General Data Protection Regulation (GDPR, known as AVG in Dutch) requires that all activities concerning the processing of personal data at UGent and UZ Gent are documented and registered in a 'register of processing activities', the GDPR Register.
This internal registration replaces the former 'obligation to report' with the Privacy Commission, and is an essential tool to help researchers comply with the GDPR principle of accountability.
When to register processing activities?
New processing activities
The registration must be done for each new processing activity, i.e. at the start of each new research project where personal data are processed (or the phase in the project where personal data are processed), and this before the start of the actual data collection/processing.
Existing processing activities
Existing processing activities must also be registered. This means ongoing research projects, whether they started before or after 25/05/2018 (i.e. the day on which the GDPR came into force).
In addition, it is important to keep the information regarding the registered processing activities up to date during the duration of the research project.
Where and how to register processing activities?
For research, researchers can register their processing activities while creating their Data Management Plan (DMP), because entering information into the GDPR register can be done through the DMPonline.be interface.
Use the templates in the online tool DMPonline.be
There are two possible routes for documenting and registering personal data processing activities via DMPonline.be:
- When creating a new plan/entry in the tool, you first have to indicate whether or not you will process personal data. If so, only compatible templates that contain a series of mandatory GDPR questions will be available to you.
- If you want or have to prepare a DMP for a research project, for example for an external funder, you can at the same time also register your processing activities by using a GDPR-compatible DMP template.
- If you are not writing a DMP or a separate DMP already exists, and you only need to register processing activities with regard to personal data, you can select the UGent/UZ Gent template 'GDPR Record' (in English) or 'AVG Register' (in Dutch).
How to proceed?
- Log in with your UGent or UZ Gent account at https://dmponline.be.
Creating a new plan
- Create a new entry by clicking 'Create plan'.
- In the 'Create a new plan' wizard, enter the correct title of the research project (mandatory) for which you want to write the DMP/register the processing activities, and select the 'I will process personal data' option to ensure that you get a template that includes the GDPR questions.
- Then go through the rest of the wizard to choose a suitable template (i.e. the UGent/UZ Gent ‘GDPR Record’ or 'AVG Register' template, or a GDPR-compatible DMP template). Select an external funder from the list, or choose ‘not applicable/not listed’ if you are not creating a DMP for a funder/your funder is not included in the list.
Completing the plan
- In the newly created plan, complete the 'Plan details' (i.e. basic information about the research project):
- the person creating the plan is automatically entered in the plan details as the 'Principal Investigator/Researcher' of the research project. You can modify this if necessary via 'Add/Remove collaborators'. In the same way you can also specify an additional contact person for the DMP where appropriate. If you are not the main supervisor of the project, do not forget to add your supervisor as 'Principal Investigator' and change your own role to 'Data Contact' for the plan.
- Answer the questions in your plan. You can find them by navigating to the tabs next to 'Plan details':
- to register your processing activities with regard to personal data, you must in any case fill in the mandatory GDPR questions under the tab 'GDPR Record' or 'AVG Register'.
- in the event that your research constitutes a probable high-risk processing of personal data, you will also need to conduct a Data Protection Impact Assessment (DPIA) or Gegevensbeschermingseffectbeoordeling (GEB) by answering the questions under the ‘DPIA’ or ‘GEB’ tab.
- if you are writing a DMP in addition to registering your personal data processing activities/conducting a DPIA, you will also find a ‘DMP’ tab with questions to help you draft your DMP.
Access Data Protection Officer
- The Data Protection Officer of UGent (email@example.com)/ UZ Gent (firstname.lastname@example.org) has automatic access to your plan in DMPonline.be (via the 'Share' tab you can see who has which access rights to your plan, and you can also give other people access).
Exporting the plan
- You can export each individual component of your plan (GDPR Record, DPIA, DMP) from the tool in various file formats (.docx, .pdf, .txt), e.g. when you want to save a milestone version, or when you want to formally submit a document to a funder, to the Research Co-ordination office, to your ethics committee, etc.
- However, to actually register your processing activities in order to comply with the GDPR, in principle all you have to do is fill in the GDPR questions in the online tool - you do not have to export and submit a document for this yourself.
- Please note: if you need or want advice from an ethics committee for your research, submitting your GDPR Record document is an admissibility requirement for your application for ethical approval. In this case, you will have to export a document from the tool yourself.
Keeping the plan up to date
- Keep your plan, and in particular the questions under the 'GDPR Record' tab, up to date in DMPonline.be during the course of your research project. Via the 'View plans' menu you can see a list of already created plans which you can then edit further.
A more detailed manual for the use of DMPonline.be can be found in the research tip: DMPonline.be: how do I write a Data Management Plan?
Last modified May 28, 2020, 4:55 p.m.