Legal indicators: Data protection compliancy of research data

This indicator assesses the level of data protection compliance in an organisation and the implementation of roles and systems that ensure responsible handling of research data. It evaluates how effectively data protection principles are embedded into research data management through the Data Protection Officer and mechanisms such as the Registry of Processing Activities (ROPA), consent management and Data Protection Impact Assessments (DPIAs). Higher maturity levels reflect a shift from reactive compliance toward a systematic,well-governed approach supported by leadership, audits and proactive DPO engagement.

Level 1 – The organisation has a part-time Data Protection Officer (DPO) with general responsibilities (consulting) for RD. Active monitoring for data protection compliance by the DPO. Mostly, there is no standardised framework or templates regarding RDM, and most of the work is reactive.

• Limited capacity: The institutional DPO provides general support, with research data being only one of several responsibilities.
• Reactive approach: Data protection issues are handled on a case-by-case basis, with little proactive planning or follow-up.
• Lack of standardisation: There are no established frameworks, templates or consistent procedures for data protection in RDM.
• Minimal visibility: DPO input is often sought only when problems arise rather than during project planning.

Impact: The researchers can seek legal advice, but the processes for detection of projects that handle personal research data and ensuring compliance are reactive and not established. Compliance depends on individual awareness and ad hoc action.

Level 2 – Organisation has a full-time DPO. Guidelines, documentations and consultations are actively done by DPO for RD. No procedures in place to involve the DPO.

• Dedicated expertise: The organisation employs a dedicated DPO position who provides guidelines, documentation, and consultations for research data activities.
• Independent operation: The DPO acts mainly as an advisor rather than an integrated part of RDM planning processes.
• No formal procedures: There are no established steps or triggers to involve the DPO systematically in project design or review.
• Growing awareness: Staff begin to recognise the DPO’s role, but collaboration remains optional or inconsistent.

Impact: Researchers get better support with personal and sensitive data, but they must reach out to the DPO themselves. Without clear procedures, data protection often comes too late to prevent issues.

Level 3 – Established systems for Data Protection legislation compliance (ROPA, consent management, DPIA, etc.) of RD. No procedures in place to involve the DPO. Sometimes a DPO is involved at the planning stages, but not always.

• Irregular DPO engagement: The DPO is sometimes involved during planning stages but not consistently across all research projects.
• Partial integration: Data protection procedures exist but are not yet fully embedded into RDM workflows or project management.
• Focus on documentation: Compliance infrastructure is in place, but work is mostly administrative with little collaboration across teams.

Impact: Finding projects that handle personal or sensitive data is sporadic but slowly developing. Compliance helps reduce risk, but without regular DPO involvement data protection, RDM practices and ethics are not fully aligned.

Level 4 – Procedures are in place and the organisation is willing and actively involves a DPO at the right stages of the project. The top leaders of the organisation understand the necessity of the DPO and the processes regarding data protection. The organisation does regular auditing (internal or external), and the ongoing evaluation is taking place regarding data protection for RD. Established procedures for the exercise of Data Subject Rights.

• Embedded governance: The organisation has clear procedures to ensure the DPO is involved at appropriate project stages of the research lifecycle, from planning to data sharing and closure.
• Leadership commitment: Senior management actively supports data protection and recognises its strategic importance for responsible research.
• Rights management procedures: Established systems ensure timely, transparent and well-documented handling of Data Subject Rights requests.

Impact: Researchers are familiar with procedures and data protection is embedded in the institutional culture and research workflows. Active DPO engagement lowers risks and demonstrates a mature, accountable organisation.

Contributors