GDPR: how can I protect my data correctly?
When you process personal data you have the ethical and legal obligation to ensure that personal data are sufficiently protected.
The basic level of security must always be in accordance with the information security policy of Ghent University. However, additional measures may be necessary specifically for each processing. The choice of additional security is based on an assessment of the risks of the processing. Processing involving more risks will have to be accompanied by a more extensive set of safety measures.
In the area of data protection, anonymisation, pseudonymisation and encryption are put forward by the GDPR and sometimes even required as guarantees.
Anonymisation
When you collect personal data and then anonymise them, this processing constitutes anonymisation under the GDPR. Anonymisation means that the data subject (the individual to whom the data relates) can no longer be identified and it is not possible to re-identify the data subject. Please note that the natural person may not easily be re-identified if someone, for example, were to link this dataset with another dataset.
Pseudonymisation
If anonymisation is not possible (or desirable), it is advisable to separate the personal data as quickly as possible from the research data (pseudonymisation). The key file that contains the link between the research data and the personal data must be kept in a separate and safe place, and should preferably be encrypted. For daily use, the pseudonymised data set is preferably used instead of the non-pseudonymised data set. Access to raw personal data is highly restricted.
Encryption
The use of encryption for storage or data transfer is also strongly recommended by the GDPR. You can choose to encrypt one or more files or to encrypt the entire system disk of your laptop or computer. For an overview of the different encryption options, be sure to check out the encryption manual for researchers.
Other measures
In addition to anonymisation, pseudonymisation and encryption, there are a host of other organisational and technical security measures to mitigate the risks involved:
- storage of data files or documents on the University network drives or centrally offered storage options
- use of secure VPN for wireless devices
- multi-factor authentication (MFA) to protect accounts
- clean desk policy (make sure computers automatically lock after a certain period of inactivity)
- key policy of offices
- use of Windows screen saver L key to block screens
- use of secure systems for the transfer of data (e.g. Belnet FileSender)
- use of secure procedures for destroying data
- (periodic) compliance training on data protection and information security for fellow researchers and partners
- use of hashing
- use of randomisation
- possibility for research participants to quit the research any time
- preventing personal data to leave the EEA
- not using research results to take decisions which directly affect the individuals
- keeping retention periods shorts
- reducing the risk of stigmatisation by working with a large population; ‘noise’ will be added to reduce stigmatisation
- applying data minimisation before, during and after the research; constantly re-evaluating the necessity of the personal data for the research purposes
- taking extra safeguards concerning the mailing box: reflection period of a few seconds to cancel the sending of a an e-mail, extra confirmation when mailing to multiple persons, …
- use of actual, secure and regularly controlled back-up procedure
- systematic (anti malware) software updates
For more information and tips on how to handle your data safely, see the page about datasecurity.
More tips
- GDPR: Can I share research data with personal data with other researchers or institutions when my research project has ended? (Research integrity & ethics)
- GDPR: how am I transparent to data subjects in my research? (Research integrity & ethics)
- GDPR: how can I ensure that the processing of personal data is lawful? (Research integrity & ethics)
- GDPR: how do I register personal data processing activities? (Research integrity & ethics)
- GDPR: how long can research data containing personal data be stored? (Research integrity & ethics)
- GDPR: what are personal data? (Research integrity & ethics)
- GDPR: what are the basic principles? (Research integrity & ethics)
- GDPR: what are the different roles and responsibilities according to the GDPR? (Research integrity & ethics)
- GDPR: What do I need to think about when transferring personal data to third countries or international organisations? (Research integrity & ethics)
- GDPR: what do I need to think about when using a mailing list in the context of my research? (Research integrity & ethics)
- GDPR: what has changed with regard to the previous privacy legislation? (Research integrity & ethics)
- GDPR: what information should I include in an informed consent form when the processing of personal data is based on the consent of the data subjects? (Research integrity & ethics)
- GDPR: what is the General Data Protection Regulation? (Research integrity & ethics)
- GDPR: what rights do data subjects have, how do I respect them and what exceptions may apply to research? (Research integrity & ethics)
- GDPR: What should I do if there is a data breach? (Research integrity & ethics)
- GDPR: what should I do in the event of further/secondary processing of personal data? (Research integrity & ethics)
- GDPR: what should I keep in mind when designing my research? (Research integrity & ethics)
- GDPR: what should I keep in mind when processing special categories of personal data? (Research integrity & ethics)
- GDPR: What should I think about when I collaborate with others or share my data? (Research integrity & ethics)
- GDPR: What should I think about when processing personal data from minors? (Research integrity & ethics)
- GDPR: When am I processing high-risk personal data and when do I need to conduct a DPIA? (Research integrity & ethics)
- GDPR: when does it apply to my research? (Research integrity & ethics)
- GDPR: who are considered as vulnerable persons? (Research integrity & ethics)
- GDPR: why is it important to comply with this legislation? (Research integrity & ethics)
Translated tip
Last modified Sept. 13, 2021, 9:21 a.m.