This TLS video provides a good overview of the general principles and terminology of the GDPR and is relevant for researchers of all Schools.

The General Data Protection Regulation (GDPR) is applicable when personal data are part of the research data. Personal data is all information related to an identified or identifiable natural person (a data subject). The GDPR is based on 12 fair information principles:

1. Lawfulness
   Any processing of personal data must be lawful. This principle carries two requirements. First, the processing of data must rest on one of the bases stated in the GDPR. Second, the processing of data must of course also comply with other legislation, such as the Constitution (Grondwet), the Equal Treatment Act (Algemene wet gelijke behandeling), and the Criminal Code (Wetboek van Strafrecht).
2. Fairness
   Any processing of personal data must be fair. Examples of unfair processing include commercial practices that mislead consumers and terms and conditions that stipulate consumer consent to all manner of things which consumers need not reasonably expect to consent to.
3. Purpose specificity
   Any processing of personal data must serve a specific purpose. This principle carries three requirements. First, a purpose must be determined before any personal data are (to be) collected. Determining a purpose after personal data have been collected is not allowed. Second, the purpose must have been explicitly documented to ensure that the compatibility of the processing with the original purpose can subsequently be easily verified. Third, the purpose must be specific. For many organizations this is a pitfall, because they have formulated their purposes in words that are far too broad and general, such as ‘customer interaction’, ‘product improvement’, ‘innovation’, and ‘advertising purposes’. As these purposes are too broad, they are deemed unlawful.
4. Purpose limitation
   Personal data must in principle only be processed for the specified purpose; using collected personal data for any new purpose is not allowed, unless it is a similar purpose.
5. Data minimization
   In principle the fewer personal data are collected, the better. The GDPR data minimization principle ultimately rests on the general necessity requirement and the principle of subsidiarity. Put simply, collecting personal data must not go beyond what is strictly necessary to achieve the specified purpose(s).
6. Accuracy
   The collected personal data must be accurate. In other words, collecting personal data requires carefully designing a research methodology as well as setting up safeguards for a sound data collection; arbitrarily collecting data about people and drawing some random conclusions is out of bounds. This principle has been incorporated into the GDPR to ensure that collected personal data are processed and analyzed accurately and that ensuing decisions are adequate and fair. For example, no one should suffer adverse effects of incorrectly registered data.
7. Up to date
   If collected personal data are retained for a longer period, they must be kept up to date. For normal databases an annual data update will often do, but high-impact decisions and sensitive data sets require a higher update frequency, for example every month. When updating data and before taking specific decisions based on these data regarding a specific person or small group of persons, it is wise to ascertain in each individual case if the step-by-step process has been carefully followed throughout.
8. Erasure or anonymization of unnecessary personal data
   If the collected personal data are no longer needed, for example because the purpose for which they were collected has been achieved, they must in principle be erased or fully anonymized. The advantage of anonymizing data sets over erasing them is that they can then still be used for general statistical analysis.
9. Storage limitation: archiving or research
   Personal data that are no longer necessary for the purpose for which they were collected may only be retained if: such retention serves the purpose of complying with a legal obligation, such as the duty to allow the tax authorities to inspect financial records; for the purposes of historical, scientific, or statistical research; or for complying with an obligation to archive data. Research and statistical analysis here relates to scientific and medical research; the GDPR in this regard mentions clinical trials, public health research, and research that aims to increase social knowledge.
10. Technical security
    If collected personal data are stored, for example in a database, register, or filing system, technical security measures must be taken. These include:
    • Encryption
      Make sure that hackers cannot gain unauthorized access to databases: securely encrypt all personal data and issue alerts as soon as attempts at unauthorized access are detected.
    • Automatic blocking
      Make sure that if an incorrect password is entered three times, the device used to attempt access to a database is automatically blocked. When processing sensitive personal data, the default blocking response is preferably set to one incorrect password entry. The person(s) whose credentials may have been compromised must be alerted immediately.
    • Raising awareness
      Make sure that staff and external contacts are warned about the danger hackers pose. It is a well-known fact that many clients and staff, despite repeated warnings, are duped by fake emails that request the addressee(s) to confirm or change passwords.
    • Compartmentalization
      Make sure that within the organization personal data are stored in several segregated databases that run on different servers on different locations and that use different security tools. This may help prevent hackers from gaining unauthorized access to full data sets.
    • Barriers
      If despite all precautions something does go wrong, make sure barriers are in place that make it impossible or difficult to, for example, copy or download the entire database.
    • Notification
      If despite all precautions something does go wrong, make sure the incident is duly reported.
11. Organizational security
    If collected personal data are stored, for example in a database, register, or filing system, organizational security measures must be taken to ensure that the only people within the organization to have access to these data are those whose access is necessary in relation to the purpose(s) for which the data were collected. These measures include:
    • Authentication
      Make sure that personal data, files, and databases can only be accessed by means of a personal code.
    • Restriction
      Make sure that authentication and access rights are only granted to people within the organization whose access is genuinely necessary. As a matter of principle, the more sensitive the personal data and the larger the data set, the fewer people have access.
    • Logging
      Keep track of the people within the organization who have been given access to personal data. On accessing a database, these people ideally also specify why they are doing so, but at the very least they should be able to explain why they have accessed a database when asked.
    • Automatic logout
      Another security measure is configuring computers to automatically log out after several minutes of user inactivity.
    • Clean desk
      Clean-desk policies are widely used. After office hours all documents that have not been locked away are shredded or stored to prevent sensitive information from lying around.
    • Physical security
      Lock rooms and special-purpose areas.
12. Transparency
    One of the cornerstones of the GDPR is transparency – or openness – about processing personal data within organizations. All information must be provided free of charge and communicated in clear and understandable language. The transparency organizations must offer is of three types:
    1. General transparency
    2. Information to data subjects
    3. Notification of security breaches

1. Definitions
   The most common terms in the GDPR are listed below:

   Term	Definition
   Personal data	Any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, particularly by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person
   Special personal data or special categories of personal data	Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data relating to sexual conduct or sexual orientation of a person
   Data subject	An identified or identifiable natural person to whom personal data relates
   Anonymizing / Anonymous data	Data that does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable (e.g., for statistical or research purposes)
   Pseudonymization	The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person
   Processing	An operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data
   Processing basis	An operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data
   Consent (of the data subject)	Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her (Article 4(11) GDPR)
   Controller	The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
   Processor	A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
   Data processor agreement	The contract between a controller and a processor that sets out the agreements about the processing of personal data to ensure the protection of the personal data of data subjects and that meets the requirements specified in Article 28(3) GDPR
   Third party	Any natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data
   Privacy by design and by default (i.e., data protection by design and by default)	The implementation of appropriate technical and organizational measures, such as pseudonymization, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the EU General Data Protection Regulation and protect the rights of data subjects
   Data Protection Impact Assessment (DPIA)	An assessment of the impact of the envisaged processing operations on the protection of personal data that helps to identify risks to the rights and freedoms of natural persons and offers ways to reduce these risks to an acceptable level
   Data leak (i.e., personal data breach)	A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data transmitted, stored or otherwise processed
   Data processing register	The records of the processing activities referred to in Article 30 GDPR that must contain certain data for the purpose of accountability Implications for research For Tilburg University research this is part of the integrated form for ethics, data management and GDPR

   
    

2. Implications for scientific research

   The General Data Protection Regulation (GDPR) has some important implications for scientific research.

   Research life cycle
   The Research Life Cycle that is meant here has 3 rough phases: prior to research, during research and after research. We are well aware that research is not a linear process, but that you sometimes make adjustments as you go and you might need to revisit your previous steps. The implementation of the GDPR through these phases is meant to optimize processes in advance, without having to record all the information afterwards for already defined purposes such as follow up studies. This is beneficial for you as a researcher, because having a predetermined goal and determining a lawful base for processing will help you determine what data is absolutely necessary, the kind of data that you are going to gather and how you are going to do so, steps in analyzing and storing data.

   1. Prior to Research
      Before you start your research, you need to fill in the integrated form for Ethics (if applicable), Data Management and the Data Processing Register. This form also includes a so called pre-DPIA (Data Protection Impact Assessment), which indicates whether a full DPIA is necessary. This is required to assess the privacy risks that might flow from the research and (if necessary) formulate ways to mitigate those risks. Please note that you should always write a Data Management Plan, even when you are not processing personal data. With the GDPR there are a couple of factors to look into such as the data processing register, informing participants about their rights and checking whether a processor agreement is needed for the tools you want to use. If Personal Data are processed in a scientific study, the so-called Lawfulness and Purpose Limitation must first be established. In the following, the so-called Material requirements must be observed in order to ensure that Personal Data is handled with care:

       

      • Lawfulness Any processing of Personal Data must be lawful, i.e., there must be a legal Processing Basis and purpose for the processing. There are six legal Processing Bases, which are described in the Privacy & Personal Data Protection Policy (section 4, page 14). In general, the Processing Basis for research is the Data Subject’s consent.
      • Purpose Limitation A pre-determined well-described purpose, in the data management plan of the study and the data processing register, is a requirement for gathering personal data. If you use data gathered in a previous study, please refer to the Thematic Policy Scientific Research (section 2.2, page 13).
      • Rights of the Participants The Respondent has a number of rights prior to, during, and after the research:
        • To be informed about which Personal Data are being processed.
        • To have access to the Personal Data collected in relation to their person at all times.
        • To demand that incorrect Personal Data be rectified at all times.
        • To restrict the processing of their Personal Data, for example, pending the outcome of an objection. Restriction means that Personal Data will be marked, and may not be edited or shared during this period.
        • To make a request to erase the data of the participation including the answers given by the Respondent.
        • To object and indicate that they do not or no longer want their data to be processed.
        
        The aforementioned general rights of the Data Subject are subject to certain exceptions in the GDPR relating to scientific research regarding:
        • Access
        • Erasure
        • Rectification
        • Restriction
        Access, erasure, restriction, or rectification of Personal Data need not be honored if this seriously threaten the scientific research and if the necessary measures (for example, security in the form of authorization) have been taken to guarantee that Personal Data can only be used for scientific research. Think, for example, of research in which the erasure or modification of the data means that the results can could no longer be used or generalized. More information can be found in the Thematic policy Scientific Research (section 2.10, page 18).
      • Informed Consent If Special Personal Data are processed in the course of scientific research, explicit Consent must be given. In addition, to make sure your data can be used in future research projects, you should ask consent for future use explicitly. This means that the researcher should add a checkbox to his/her informed consent form, which can be ticked by the participant, in which the consent for future use is made explicit and linked to a certain field of research, such as marketing, psychology, etc. More information on informed consent with regard to datasets (including previous ones and public ones) can be found in the Thematic policy Scientific Research (section 3.1, page 19).
      • Data Processing Register, Ethics and Data Management Before you start your research, you need to fill in the integrated form for Ethics (if applicable), Data Management and the Data Processing Register. Please note that you should always write a Data Management Plan, even when you are not processing personal data.

       

   2. During Research
      The GDPR also has some implications for the processes during your research:

       

      • Gathering, storing and analyzing data containing personal information Within Tilburg University, as few people as possible are granted access to the data sets (digital or physical) for research in which Personal Data has been processed. Such access is usually limited to the researcher concerned, and his supervisor. The data sets (digital and physical) must be stored safely and should only be accessible to those for whom this is necessary in the context of the research. Moreover, a researcher who collects and stores contact details for the purpose of scientific research should store them in a secure manner that guarantees limited access. The researcher is responsible for storing the contact data file separately. The contact details that can be linked to the data set should be removed by the researcher as soon as possible (within 6 months unless longer is necessary), as long as this does not conflict with the interests of the scientific research (more information: Thematic Policy Research sections 1 and 4.1). Additional measures regarding data management can also be of effect, more information about these measures can be found in the Research Data Management policy.
      • Data Processor Agreement When personal information is gathered, stored or analyzed using an external application, software or server, Tilburg University and the external organization must agree upon a data processor agreement. Several agreements for commonly used tools are already in place, and we advise you to use those tools. If you wish to use other programs for specific research purposes, please check with the Information Manager of your School whether there is already a contracted tool available. In case no tool is suited and it is necessary to acquire a new tool for the processing of personal data, you can use the model agreement to close a data processor agreement. The data representative of your School can aid you if you have any questions regarding the data processor agreement. More information can be found in section 4.4 of the thematic policy on research and the GDPR.
      • Sharing Data Personal data can only be shared safely with encryption and through the servers of Tilburg University. If you want to use a different tool, make sure to contact the data representative of your School to check whether a data processor agreement is agreed upon. Please keep in mind that personal data should not be placed in cloud services such as Dropbox and Google Drive. However, you can use the cloud service SURFdrive, because Tilburg University has agreed upon a data processor agreement with this organization.

       

   3. After Research
      The GDPR also has some implications for the processes after your research:

       

      • Storing Research Data containing Personal InformationWhen your research is completed, it is your responsibility as a researcher to think about the storage period of the data in line with the Research Data Management Regulations. The standard retention period for research is 10 years after the date of the last publication. Please note: all (raw) data should be stored pseudonymized or when possible anonymized. Directly traceable personal data (such as the Informed Consent form) may be kept separately for as long as necessary, but for a maximum of 10 years. In addition, additional requirements may be imposed on, for example, WMO-obligated research materials. The data is stored in a data package (see Thematic Policy Scientific Research section 5.2). A data package contains all materials, thinking steps and analyses that are necessary to carry out the research. The data package must be stored in a secure manner. Different agreements have been made here for each School. If you want to publish the data package or save it in a Trusted Digital Repository such as DataverseNL make sure that all traceable personal data have been removed. You also need to store a complete data package, including raw data, at Tilburg University.
      • Rights of Respondents Respondents may also appeal to their rights after the research, as described in the Thematic Policy Scientific Research (section 2.10, page 18) and as mentioned previously.

       

   
    

3. Data Representatives
   Each School offers researchers support to comply with the General Data Protection Regulation:

   Catholic Theology	Nico de Groot
   Economics and Management	Juliana Thomazini
   Humanities and Digital Sciences	Monica Lensink
   Law	Djara Braggaar
   Social and Behavioral Sciences	Jeske de Vet

   You can find the Theme Policy on Scientific Research (as well as more information about privacy and data protection) on the Privacy and Security portal. .