Data protection by design

Designing your research project

Every research project is unique. Research can take place in various contexts, may contain different types of data, can apply different kinds of methods, and might be performed in collaboration with scientists or other collaborators working at a different institution or company. It is therefore important to think about technical (e.g., safe storage, encryption) and organizational (i.e., access management, agreements) measures that suit the sensitivity of your research data.

The planning and incorporating of technical and organizational measures to protect the data (of your data subjects) is called data protection by design. As a researcher, there are several ways you can incorporate data protection by design in your research project. Here, we propose three strategies.

Data management plan

A good data management plan helps you to plan your research and assess risks related to the processing of the data you collect. Data management plans are a good practice (and at some faculties even mandatory) for researchers to complete before the start of their research projects. Especially when you collect personal or sensitive data, the completion of such a plan helps you to reflect on:

Risks related to the data you would like to collect
Where you want to store your data
Who has access to your data
How to make your data available for reuse, if possible

At the same time, you can think about how to protect the data throughout the research data lifecycle.

More information on research data management

Data flow diagram

A data flow diagram is a visual representation of the research data flow throughout a research project, using a standardized set of symbols and notations. A data flow diagram can be used to clarify responsibilities between organizations, researchers and other team members. In addition, a data flow diagram helps researchers discover potential privacy and security risks or weaknesses, and develop better protection measures.

A data flow diagram can be specifically useful in complex, high risk projects:

Complex research projects have complicated dataflows
Multiple parties want to share or have access to different datasets
Data need to be moved from one medium to another (e.g.mobile device to network drive)

The DCC provides support on developing data flow diagrams. During interactive sessions with the researcher, data stewards can help you specify the processes, dataflows and responsible entities in your research project. After the meeting, the data steward will design a data flow diagram by using Lucidchart.

Data protection impact assessment (DPIA)

For specific research projects in which there is a high risk to the rights and freedoms of research participants, the GDPR introduces the Data Protection Impact Assessment (DPIA) as a mandated assessment.

The DPIA is a process that aims to ensure that the privacy and data protection risks are adequately addressed. The method provides a structured way of thinking about risks and protection measures. In addition, it assists in aligning the appropriate safeguards with the ethical principles relevant in the specific fields of research.

The DPIA helps the researcher and the institution to comply with the requirement of data protection by design. Experts on data management, information technology specialists and legal advisors will be part of the DPIA team (multi-stakeholders approach).

More information on when DPIA is necessary and support available

Last modified:

02 July 2024 3.55 p.m.