GDPR in research: security measures

This website provides information about security measures in the context of the GDPR in research:

Definition

Make sure that your data is well secured. When working with personal data, you should at least make use of privacy protection techniques and measures such as encryption, data anonymisation and pseudonymisation.

Guidelines

  1. Consult Radboud University’s guidelines on security: here and here.

  2. Treat pseudonymised data like personal data. Because the pseudonymised data can be traced back to an individual (even though you may not be able to do it yourself), appropriate security measures are important and the data should be treated as personal data. 

  3. The pseudonymisation key should be stored in a secure way. For example, store the pseudonymisation key in a password vault recommended at Radboud University. The password to the vault is advised to be shared with a minimal amount of people (for example only the principal investigator, the research secretary and/or the data steward). 

  4. Paper documents with personal data are vulnerable. Security measures regarding non-digital data can include making scans of the original paper data following the RU substitution manual. The scans then should be treated as personal data. Encryption of the scans and access authorisation are essential parts of the security measures. In most cases, the paper data can be destroyed 6 months after digitising because the security of non-digital data is harder to control. Find more information about the destroying of paper data here.

  5. In order to determine whether a (new) system or software meets sufficient security measures when working with personal data, you should confirm whether there is a processing agreement (i.e. verwerkersovereenkomst). A model processing agreement is available. You can contact the decentralised privacy manager and/or the security officer of Radboud University for more information.

  6. It is obligated to report new processing activities, so the processing can be included in the processing register which is held by the central privacy office. The data protection manager of your department can help you with this.

GDPR articles

Information about security measures can be found in the following articles and recitals in the GDPR.

Frequently asked questions

Read the frequently asked questions about security measures in the GDPR and its implications for research data management.