February 6, 2017

New national and European rules on data protection and privacy

Door: Petra Ploeg | Categorie: data management, research data


The national and European rules for dealing with personal data have changed. As of January 1, 2016 the Dutch Data Protection Act (WBP) has tightened and the European General Data Protection Regulation entered into force in May 2016. This Regulation imposes additional rules and obligations and is fully effective as of May 24, 2018. From this date there is only one privacy law across the EU. Until May 2018, organizations have the time to adjust their procedures under the new rules. The basic principle of the Regulation is the fundamental right of every citizen of the European Union on protection of personal data concerning him.

Major changes: report data leaks and transparency

Ahead of the Regulation, an additional section is included in the Dutch Data Protection Act in the case personal data come into the wrong hands, which is the obligation to report data leaks. Also, the sanctions have been extended. In violation of the WBP an institution may be imposed a fine of (maximum) € 820,000. At the Regulation, this is more (€ 20 million or 4% of total global turnover in the preceding financial year, whichever is higher).

Central to the General Data Protection Regulation are transparency of roles and responsibilities of persons or organizations involved in the protection of personal data. It is not sufficient under the Regulation that everyone abides by the rules, you now have to be able to demonstrate that you stick to it.

Approach Tilburg University

Tilburg University has appointed a Data Protection Officer (DPO), this is Moswa Herregodts. Furthermore, a special working group is working on privacy-related issues, including data leaks. Not only research data is examined, also university systems and applications in which personal data is stored are checked.

Other topics that the working group is concerned with, is the university-wide implementation of disk encryption for laptops and, thereafter, at all workplaces. Also awareness of the impact of one’s own behavior is a priority of the working group.

New procedure for researchers of Tilburg University

Researchers who process personal data in their research will now have to fill out the “diagram processing personal data”. This diagram helps to identify the processing of personal data that will take place for the purpose of research. The diagram will be forwarded to the Data Protection Officer (for registration and evaluation) and the Legal Affairs Division (for evaluation). On the basis of the completed diagram, the Data Protection Officer and/or Legal Affairs can advise the researchers on compliance with the WBP and the Regulation. It is also possible to check whether further assessment of the security measures by the Computer Emergency Response Team (CERT) of the university is desirable. Note editor October 18, 2018: the procedure has changed in the meantime, more information in our blogpost Privacy and scientific research.

University Regulation on Research Data Management

In the new university regulation on Research Data Management, there is plenty of attention for the new rules and also an explanation is given of what is expected of researchers.

Do’s and don’ts

Moswa Herregodts, our Data Protection Officer at Tilburg University, gives the magazine eData & Research general best practices to deal safely with your research data:

  • While collecting data, split identifiable information (‘the communication file) from your research data and store these files on separate and secure locations.
  • Do not store sensitive research data to public cloud storage services like Dropbox, Google Drive, OneDrive and Box. Use SURFdrive instead.
  • Don’t press the green Download Now button blindly when you see a nice tool on the Internet. Inform yourself that the application can be used safely.
  • Always lock your desktop / laptop.
  • For storage of data, preferably do NOT use a portable digital storage devices such as a laptop, plug-in hard drive, USB stick, CD or DVD. The network drives of the university are more reliable and safer.
  • If you do keep sensitive research data on your laptop, make sure you use disk encryption (you can ask IT Support for help).
  • Use Secure FileSender (http://send.uvt.nl) to securely transmit large files.
  • Do not let your desktop or laptop unattended, lock the door of your office when you leave.

This blog post is partly based (with permission) on the article ‘Wees je bewust: een datalek ligt zo op de loer: nieuwe landelijke en Europese regels omtrent persoonsgegevens’ by Marika de Bruijne (e-Data & Research, vol 11, no. 1). The Dutch version of this blogpost was published on January 9, 2017

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Recent Posts




Posts on research data management, open access publishing, copyright, and access to scientific information. For Tilburg University researchers - by the Research Support department of Library and IT Services. Read More