The new privacy law which takes effect on 25 May 2018, is called the General Data Protection Regulation or GDPR. This regulation applies to all persons in organisations that process personal data of European citizens, therefore including staff from the university or university of applied sciences. This page provides a brief introduction to the GDPR and sets out what is specifically relevant for researchers.
If you do not use any personal data in your research, the GDPR does not apply. However, if you do, the GDPR is important to you.
Feel like totally immersing yourself in the GDPR? Please follow this link to the full wording of the regulation. No time to read all 88 pages? The six key issues from the GDPR that every researcher should know are:
![]() |
Focus on the privacy rights of the persons involved, not on your research results. |
![]() |
The GDPR is based on principles and only states that you have to organise matters regarding privacy. |
![]() |
What exactly you should do depends of the research context. As soon as you know this, the measures are clear. |
![]() |
Before you start your study and in the event of significant changes, perform a DPIA. |
![]() |
Privacy by Design: When you set up your study, build in measures to promote privacy. |
![]() |
Privacy by Default: Ensure that the default settings of all of your systems promote the privacy of the research subjects. |
The Dutch Data Protection Authority (DPA) supervises compliance with the legal rules for the protection of personal data. This supervision covers various activities including research.
Another important task of the DPA is giving advice on new regulations. In this latter role, the DPA has described ten steps you can take to properly prepare for the GDPR. The video below clearly explains these steps. If you prefer to read the steps, you can download them as a text document underneath the video. We do recommend that you review these steps carefully.
Video produced by Karel Roos, ICT- and ICT&O advisor/coordinator, Leiden University
Preparation for the GDPR in ten steps
This module discusses in more detail what you, as a researcher, have to (and can) do with the GDPR. If you already want to study the GDPR in more detail, we recommend you start with the site hulpbijprivacy.nl. This website from the Dutch Data Protection Authority offers clear general information about the GDPR.
Via this SURF website you can find a Wiki explaining the regulation and its interpretation, plus a comparison with the Dutch Data Protection Act.