10 steps towards privacy compliance in research

This upload contains a flyer/handout with an overview of steps that researchers should take when they process personal data in their research project:

1. Keep the GDPR in mind when designing your research: Do you need to collect personal data, why, and how much?
2. Make sure you have a legal basis to use personal data, e.g., public interest or consent
3. Document privacy risks and privacy-related decisions, e.g., in a Data Management Plan, privacy scan, or Data Protection Impact Assessment
4. Arrange ethics review. Ethics review makes sure that you have also taken ethical implications into account
5. Inform participants properly, e.g., in an information letter, oral script, privacy statement
6. Protect your data with organisational measures, e.g., access control, agreements with external parties, data protection policies, researcher training
7. Protect your data with technical measures, e.g., anonymise, pseudonymise, encrypt your data, use safe storage
8. Enable participants to exercise their rights, e.g., right to data access, correction, objection, erasure
9. FAIR data: balance risks and Open Science principles, e.g., share under restricted access, or only share metadata and materials
10. Ask for help when you need it! Contact your privacy officer or data steward for support

Although this flyer was created for Utrecht University researchers and students, the steps are fairly generic and so reuse of this flyer in other institutes is encouraged.