The way in which you collaborate with other parties in your study may have consequences for the measures you have to take in the GDPR. For instance, entering into contracts governing access to certain data. The privacy expert in your organisation can tell you the exact measures based on your situation.
Broadly, three scenarios can be distinguished in relation to collaboration:
1. Within the institution. You are conducting the research in the actual institution. Any data will only be available to employees of this institution. This scenario requires the least drastic measures.
2. Public - public. You are conducting the study in collaboration with another public institution, such as another university or university of applied sciences. In this scenario you have to make arrangements about who has access to which data and when, and coordination is required regarding the technologies to be used for the storage and analysis of the data among other things.
3. Public - private. This scenario entails the most drastic measures. You are collaborating with a private institution, which may have other (commercial) interests in the data apart from the study. This collaboration is also very well possible within the GDPR, but requires contractual arrangements about data handling in every research phase.
The specification of the measures you have to take in your study comprises three steps:
1. DPIA. Together with the privacy expert in your institution you perform a DPIA to identify possible risks.
2. Arrangements. Subsequently (in any case in scenarios 2 and 3) contractual agreements are required about access to (parts of) the data, the technology you will use, the location of the servers etc. These agreements are made in collaboration with legal and IT experts in your organisation.
3. Registration and verification. To be fully ‘GDPR compliant’ in your work, you will have to draw up a process for the registration of all data and the verification of the contractual agreements. This is also done in collaboration with the necessary experts in your organisation. If you do not know who they are, ask the IT department, the lawyer of the institution and/or the planning and control department.