The Handbook is currently under development and may change at any point - it is not meant for production use
Skip to aside Skip to content Skip to footer

["Guidance"] Data protection compliance

Context

Building on the Legal Framework for Research Data guidance, this section expands on data protection compliance, specifically focusing on the General Data Protection Regulation (GDPR). Guidance regarding procedural and technical measures to protect data is provided on the IT security guidance page. Data protection is part of responsible research practices; the new legislative framework regulates specifically how personal data can be shared and handled with regard to the data subject’s privacy.

GDPR defines two categories of data, namely personal data and special category data, often referred to as sensitive data, where special catagory data is a subset of personal data. This law applies to data regarding all residents of the European Union (EU), regardless of whether or not their data is processed within or outside the EU, and legally binds all Member States, as well as those outside of the EU that process personal data of EU residents.

In practice, compliance with the data protection legislation is overseen by a Data Protection Officer (DPO). According to the European Data Protection Supervisor, “the primary role of the Data Protection Officer (DPO) is to ensure that the organisation processes the personal data of its staff, customers, providers or any other individuals (also referred to as data subjects) in compliance with the applicable data protection rules.” All organisations, regardless of size or type, that handle EU residents’ personal information should appoint a DPO responsible for monitoring GDPR compliance. Whether a person can take on the DPO’s tasks internally or a dedicated DPO must be hired depends on meeting one of these criteria: being a public authority, carrying out large-scale, regular monitoring of data subjects or processing large-scale special categories of personal data as a core activity.

In most countries, there are no strict rules on when a DPO must be hired, but national legislation may provide specific guidance. Similarly, there are currently no EU-wide formal qualification requirements for the role, though expertise in data protection law and practices is expected.

Please be aware that this chapter does not replace legal advice and seeking out qualified legal help is strongly advised where necessary.

Relevant links:

Guidance

Data protection in research ensures that personal and sensitive data are processed in compliance with the GDPR and related legislation, safeguarding privacy, ethical integrity, and trust. Effective data protection compliance requires a structured, proactive approach that embeds legal requirements into the daily research data lifecycle. While data stewards are not legal experts, they are essential in recognising risks, advising on data protection procedures, and connecting researchers with the Data Protection Officer (DPO) or relevant institutional authorities. These guidelines focus on four drivers: clarity of roles, accessible procedures, contextual guidance, and continuous improvement.

1. Establish Foundational Roles and Resources

These actions ensure that the organizational structure, roles, and necessary tools are clearly visible and accessible to researchers and staff. Data stewards facilitate compliance by connecting researchers with the appropriate institutional experts. They are the ones who know when to contact the legal or DPO teams, serving as translators between researchers and these experts.

Define and Empower the Data Protection Officer (DPO)

  • Map responsibilities for data protection across researchers, data stewards, DPOs, ethics committees, and legal advisors.
  • Provide a one-page overview of responsibilities, highlighting what tasks belong to the DPO versus the data steward, Principal Investigator and IT staff. Clearly communicate the mandates of the different roles (consultation, monitoring, impact assessment).
  • Offer regular, role-specific training to ensure these individuals understand their duties regarding data handling and security.
  • Keep contact details for the DPO and related offices (Legal, TTO) visible in onboarding materials, presentations, intranet pages, and RDM pages.
  • Provide the DPO with executive support to enforce compliance across departments (if that is in the mandate of the DS role).

Centralize and Standardize Documentation

  • Create and maintain a single, easily accessible information resource that collects and/or refers to all mandatory compliance templates and guidance (e.g., Data Protection Impact Assessment (DPIA) forms, Records of Processing Activities (ROPA) documentation, and consent templates).
  • Ensure templates and documentation are actively reviewed and updated by the DPO and legal counsel.

2. Integrate Compliance into the Research Workflow

The focus here is to move from reactive compliance to proactive involvement by making compliance checks mandatory parts of research milestones.

Mandate DPO Involvement at Project Initiation

  • Establish a mandatory pre-screening procedure for all new projects or grant applications to identify whether personal or sensitive research data is involved.
  • If personal/sensitive data is identified, the project must consult with the DPO or Legal Counsel before the final grant submission or ethics review.
  • Build simple tools (e.g., a mandatory online project registration form) that automatically flag high-risk projects and initiate the DPIA process early in the planning stage.
  • Ensure the ROPA entry for any project handling personal data is created and reviewed as part of the formal project approval process.

3. Ensure Ongoing Assurance and Continuous Improvement

These steps ensure that compliance is maintained throughout the project lifecycle and that the overall system is regularly audited and optimized.

Implement Regular Auditing and Evaluation

  • Support the DPO in performing ongoing evaluation of compliance procedures and systems, reporting findings to top leadership.
  • Establish a schedule for conducting regular internal or external audits to assess compliance levels on a sample of ongoing RD projects.

Formalize Data Subject Rights Exercise

  • S.Support the DPO in creating a documented process for Data Subject Rights (e.g., access or erasure). This process should be clearly publicized and include specific steps for receiving, logging, and responding to requests.
  • Ensure that Data Stewards are trained and prepared to help execute these rights in a timely and compliant manner.

Use Audit Results to Drive Optimization

  • Utilize findings from audits and Data Subject Rights requests to identify weaknesses in templates, policies, or training materials.
  • Regularly communicate system improvements and policy updates, demonstrating that the institutional approach to data protection is evolving based on identified needs.

Related pages

Aída Moure Fernández
Contributor

Aída Moure Fernández

Barcelona Supercomputing Center (BSC), Spanish National Bioinformatics Institute (INB/ELIXIR-ES)

Diana Pilvar
Contributor

Diana Pilvar

University of Tartu

Hana Marčetić
Contributor

Hana Marčetić

Luxembourg Centre of Systems Biomedicine

Heleri Inno
Contributor

Heleri Inno

University of Tartu / ELIXIR-EE

Jana Martínková
Contributor

Jana Martínková

Mijke Jetten
Contributor

Mijke Jetten

Niclas Jareborg
Contributor

Niclas Jareborg