Conducting research in accordance with the GDPR

Datum: 24/08/2017

Many will have noticed the increased focus on the processing of data for biomedical research purposes. The most notable change is the introduction of the GDPR, which will enter into force in all European countries in May of 2018. In the Netherlands, the Data Protection Authority will be using its Dutch name: Algemene Verordening Gegevensbescherming (AVG).

Its introduction will force all data processors in general hospitals and UMCs and other healthcare professionals and researchers to pay attention – as it should. Elizabeth Denham illustrates the complexity of the subject in a series of blog posts on myths surrounding the GDPR, such as the article posted on 19 August titled “Consent is not the ‘silver bullet’ for GDPR compliance.” Her message is that everyone must properly document all their decisions about the processing of personal data in order to demonstrate the legality of their actions.

To me, this immediately raises the question of how a medical researcher at a UMC can be sure that their processing of privacy-sensitive data is responsible.

A successful policy

Of course, it all begins with a clear policy drawn up by the organisation’s Security and Privacy Officers, which includes guidelines, procedures and systems for data management. This must eventually be implemented at the biomedical researchers’ central workspace – their laptop or PC – without creating a significant additional workload for them.

In this context, data management involves more than data storage and compliance with the GDPR. It must be a widely supported and consistent solution in a complex environment. It is clear that new digital services are needed to improve and measure productivity, support the sharing of sensitive data for research purposes and provide advanced instruments to a large number of researchers. That is the only way to implement a successful policy.

Supporting the entire research cycle with a digital platform

RSRCH has developed such a digital service in the form of the RSRCH Platform, a digital research platform. This solution for the Digital Research Environment (DRE), as developed as a concept by the Radboudumc, facilitates the scientific analysis of (clinical) data and safeguards accountability. Every researcher has their own private workspace with tools for data management and analysis and auditing features. It is essential that the platform supports a study’s entire research cycle: from the design to the uploading, analysing and archiving of data. Researchers can customise the functionalities to suit their data management plans, which are in line with their organisation’s guidelines. Additionally, a so-called Healthcare Landing Zone can be linked to a researcher’s workspace. It facilitates the secure transfer of data from hospital information systems, including the necessary anonymisation and pseudonymisation techniques.

Complying with GDPR guidelines

RSRCH believes that proper accountability is a concrete result of a research project. It means that both the data and the research process that was used are verifiable and reproducible.

RSRCH facilitates this by monitoring all activities and automatically logging data, so audit trails can be created per study or per group of researchers. This simplifies the proactive protection of privacy-sensitive data and allows a UMC to distinguish itself and conduct international research more effectively. The audit trails enable researchers to demonstrate their compliance with GDPR requirements. It also makes it much easier to prove that a supposed data leak did not originate with the researcher. This not only benefits the researcher, but also subsidy providers and your organisation. The RSRCH Platform is designed in such a way that the researchers themselves do not have to worry about recording the necessary information for audit reports.

With the introduction of the GDPR, every European citizen will be empowered when it comes to the processing of their data. At the same time, every biomedical researcher has the right to a digital research environment that allows them to work with privacy-sensitive data in a responsible manner. If that need is not met, it creates problems for the researcher, can result in high costs for their organisation and is not in keeping with the GDPR.

Are you ready for May 2018?