Understanding the way to use personal data in compliance with the GDPR

Understanding what is (and what is not) the proper way to use personal data, is important for both the people that use personal data (the controllers), and for the people to whom the personal data belongs to (the data subjects).

A lack of proper understanding can also lead people to stop using personal data out of fear of not doing the right thing. A good understanding can instead empower people to explore new ways to process personal data – facilitating innovation, instead of stopping it. Conversely, when people understand what is (and what is not) allowed in the GDPR, they are also empowered to effectively intervene – by exercising their data protection rights.

At the Faculty of Geosciences, the responsibility of GDPR compliance befalls to everyone working with personal data at the faculty – both students and employees. To facilitate this task, the Privacy Officer of Geosciences has developed the guidance below.

I. The need for privacy and data protection

The first step in understanding the GDPR, is to understand why there is a need for such a law like the GDPR, and how it works in practice – through the principles of necessity and proportionality. Follow this link to read further.

II. Which data is personal, according to the GDPR

Next, it is necessary to understand that the definition of what is ‘personal data’ under the GDPR is much more broad than what most people commonly understand. Follow this link to find out how is personal data defined under the GDPR, and by extension, when personal data becomes anonymous.

III. GDPR compliance using the Privacy Scan

Once you have determined that your project is processing personal data, the next step is to start a Privacy Scan. The Privacy Scan is a document where controllers describe the privacy-relevant details of the activity, which in turn can be efficiently reviewed by the Privacy Officer to assess if the activity is indeed compliant with the GDPR. In other words, the Privacy Scan documents and demonstrates that an activity is indeed necessary and proportional.

Keep in mind that a data management plan and an approved Privacy Scan is required by the ERB for projects requesting ethics approval. Follow this link to learn more about the Privacy Scan.