UTFacultiesBMSBMS DatalabResearch Data & Privacy

Research Data & Privacy

Since 25 May 2018, the General Data Protection Regulation (GDPR) is into effect. To read the full GDPR text, follow the link at Legislation. The GDPR has implications for all data handling, including handling for research and non-research purposes. There are new requirements for how personal data is collected, processed, retained, and destroyed. 

NOTE: Read further below for a Decision aid and Flowchart UT made for handling personal data in research!!

About the GDPR: Principles

In general, the policy of the EU for Data Protection is based on the following principles:

The new regulation act strengthens existing rights and empowers individuals with more control over their personal data. For institutions it implies stricter rules, more rights for citizens and higher fines when it comes to violations to the act (privacy, unauthorized sharing of personal data, data-loss, etc.)

What does this mean for you as a researcher?

For you as researcher this means that you have to prepare informed consent forms which explain to participants what will happen with their data during and after the project/experiment:
This notably concerns:   

This means that if you are collecting or accessing personal data, including re-using existing data, that either identifies or could be linked to a living individual, then this guidance and GDPR applies. If you are processing truly anonymised data, then your research activity falls outside the scope of these guidelines. Note that this means the data should be completely anonymous on receipt (collection/accessing); if you have personal data but then make that personal data anonymous, that will still be a processing operation and the and GDPR applies. If you are a researcher processing personal data, then you must comply with the requirements of the new data protection legislation, in addition to the common law duty of confidentiality and all relevant ethical requirements.

Please remember: the default mode is privacy, full anonymization, and ‘as open as possible but as closed as necessary'. Always check the risks when it comes to privacy. 

Research with secondary data

Research involving research data from or the re-analysis of existing databases does not require informed consent from the original participants, as long as data have been anonymized and the new use or purpose does not lead to or increase the risk of disclosure of any individual’s identity. Re-use that also involves personal data is restricted to the original researchers or research group, and it must comply with the original research goal, as formulated in the informed consent documents.

Sharing personal data with external researchers or re-using them for a purpose other than the originally formulated purpose requires informed consent from the original participants.

Anonymization is especially important for data or documents pertaining to sensitive subject matter (e.g. data about physical/mental health or financial issues, illegal or socially controversial behavior, or data that provide a competitive advantage to an organization), as well as for data that were originally obtained from individuals who are vulnerable in some way.
Please note that anonymity is not fully protected unless you remove all details that make an individual or organization identifiable. Coding data (e.g. by working with pseudonyms) is NOT the same as anonymization. If you save the key to the coding, you should store it separately from the dataset and document all individuals who will have access to it. If there is no reason to preserve the key, we recommend disposing of it.


When conducting scientific research, personal data may be processed. This could be, for example, data of persons who complete surveys or participate in a study, but also data from social media or tracking data. This flowchart is intended to help researchers determine what they need to be aware of under the General Data Protection Regulation (GDPR) to be aware of.

Check more information on: