When you process personal data, the GDPR ethically and legally obligates you to sufficiently protect personal data.

The basic level of security must always be in accordance with the information security policy of Ghent University. However, additional measures may be necessary specific to each processing. The choice of additional security is based on the processing's risk assessement. Processing involving more risks will have to be accompanied by a more extensive set of safety measures.

In the area of data protection, anonymisation, pseudonymisation and encryption are put forward by the GDPR. They are sometimes even required as guarantees.

Anonymisation

When you collect personal data and then anonymise them, this processing constitutes anonymisation under the GDPR. Anonymisation means that you can no longer identify nor reidentify the data subject (the individual to whom the data relates). Please note that this applies even to (re)identification that may occur when one dataset is linked with another dataset (whether the data is in your possession or not).

Pseudonymisation

If anonymisation isn't possible (or desirable), it's advised to separate the personal data as quickly as possible from the research data (pseudonymisation). The key file that contains the link between the research data and the personal data must be kept in a separate and safe place, and should preferably be encrypted. For daily use, the pseudonymised data set is preferably used instead of the non-pseudonymised data set. Access to the raw personal data should be highly restricted. For an overview of different pseudonimisation options, be sure to check out this research tip. 

Encryption

The GDPR also strongly recommends using encryption to store or transfer data. You can choose to encrypt one or more files or to encrypt the entire system disk of your laptop or computer. For an overview of the different encryption options, be sure to check out the encryption manual for researchers.

Other measures

In addition to anonymisation, pseudonymisation and encryption, there are a host of other organisational and technical security measures to mitigate the risks for the data subjects involved.

Technical measures: 

You should use modern techniques to secure personal data. 

Organisational measures: 

Besides technical measures, you should also look at how you and your fellow researchers handle personal data. 

Examples of organisational and technical measures: 

• storage of data files or documents on the University network drives or centrally offered storage options;
• using secure VPN for wireless devices;
• multi-factor authentication (MFA) to protect accounts;
• clean desk policy (make sure computers automatically lock after a certain period of inactivity);
• office key policy;
• using Windows screen saver L key to block screens;
• using secure systems for transferring data (e.g. Belnet FileSender);
• using secure procedures for destroying data;
• (periodic) compliance training on data protection and information security for fellow researchers and partners;
• using hashing;
• using randomisation;
• offering research participants the option to quit the research any time;
• preventing personal data from leaving the EEA;
• not using research results to take decisions which directly affect the individuals;
• keeping retention periods short;
• reducing the risk of stigmatisation by working with a large population; ‘noise’ will be added to reduce stigmatisation;
• applying data minimisation before, during and after the research; constantly re-evaluating the necessity of the personal data for the research purposes;
• taking extra safeguards concerning the mailbox: reflection period of a few seconds to cancel sending an e-mail, extra confirmation when mailing to multiple persons, …;
• using a current, secure and regularly controlled back-up procedure.
• systematic (anti malware) software updates.

For more information and tips on how to handle your data safely, see the page about datasecurity.