“I’m measuring CO2 in people’s houses, that’s not personal data right?”
“I want to use medical imaging data to improve the quality of those scans, am I allowed to do that?”
These and many more questions like this enter our inbox regularly. Alarm bells go off. Researchers realize: oh dear, now I have to deal with the GDPR 1. I’ve seen this kind of response often, both in researchers as well as data support staff. As soon as personal data is on the table, more time is needed to plan a research project, more people need to be consulted, and more administrative work is usually involved. For researchers, taking into account privacy means that they need to spend valuable time and resources to make sure they are GDPR-compliant, and are limited in what they can and cannot do with the collected data. They experience the GDPR as a limitation, a monster to defeat before they can even start playing the game of research, let alone that of open science. Why, and what can we do about it?
If you ask any privacy professional, they would tell you that the GDPR is actually very lenient in some respects when it comes to scientific research2. Some examples:
So in reality, when one uses personal data for research, the GDPR is much more lenient than for, say, commercial companies. The GDPR is not so much as monster to defeat, as it is a creature to tame and keep happy. Yet, researchers I have generally been in touch with do see privacy as a time- and resource-intensive monster, to be fought with each time they want to use personal data. Why?
In Dutch we say “zoveel mensen, zoveel wensen” (many people, many desires), and so there is most likely no one reason that all researchers who feel limited by the GDPR do so. But I can take a guess based on the survey and subsequent one-on-one conversations we held recently. The survey for example showed that:
The GDPR “monster” is relatively new, and so are the strategies we have to tame it. The fact that support may not always be findable or helpful may simply be because up until recently, there was none. Moreover, while ethical committees have been in place for years, privacy offices haven’t, and so many researchers find help from a privacy professional only when the ethics committee tells them to. This can lead to some nasty situations, where in some cases entire projects that were ready to start data collection got blocked, because their plans were not GDPR-compliant.
The way I see it, privacy professionals can take the approach of ethics committees as an example: give researchers a recipe and all the ingredients to keep the monster happy:
Some of these ingredients may already be there - or in development4 - and some may be combined with other recipes such as that of ethics applications and data management plans. But only all of them combined leads to a happy monster, or rather, a small pet that simply needed feeding5. Who knows, maybe handling personal data may end up as routine business for researchers, much like feeding your cat every day.
The General Data Protection Regulation. ↩
See also this resource outlining the GDPR and its position towards research. ↩
Data on mental or physical health, racial or ethnic origin, political opinions, religion, trade union membership, genetic or biometric data, sex life or sexual orientation. ↩
Some shameless self-promotion: we are currently working on an open source resource about privacy in research that includes as concrete information and tools as possible: the Data Privacy Handbook. ↩
+1 if you’re also thinking about a chocolate bar ad saying “You are not yourself when you’re hungry” 😉 ↩
Dorien Huijser
privacy gdpr support