The seven principles of the GDPR, which were discussed in the previous chapter, outline the requirements when working with personal data. How we apply appropriate security measures is guided by these principles to ensure potential data privacy risks are mitigated.
This section will discuss some of the most common security measures applied to (personal) research data. This is not an exhaustive list; always discuss whether you have applied the appropriate security measures to your research data with your faculty Privacy Champion.
Restricting access to personal data ensures that only authorised individuals can view or process the data. This includes setting up role-based permissions, using secure login procedures (e.g., multi-factor authentication), and maintaining logs of who accessed the data and when. Regular reviews of access rights should be performed to prevent unauthorized use.
Personal data must be stored in secure environments, such as institutionally approved servers or encrypted cloud services. The options available at the VU will be discussed in the following chapter. You should always avoid using unapproved data storage platforms (e.g. Dropbox, Google Drive, etc.).
Data transfers, especially over the internet, should always be done using secure methods. The VU supports the use of Surf Filesender and Zivver for secure data transfer, but only when absolutely necessary.
Encrypting files containing personal data adds an extra layer of security for data which requires additional security measures. This ensures that even if the files are accessed or intercepted by unauthorised parties, the contents remain unreadable without the correct decryption key. Both full-disk encryption and file-level encryption tools (such as Cryptomator) can be used.
Only approved third-party tools and services should be used when processing or storing personal data. These tools must comply with relevant data protection laws and institutional policies. It is important to review their privacy policies, data processing agreements, and ensure that data is not transferred outside approved jurisdictions without appropriate safeguards (such as Standard Contractual Clauses or adequacy decisions).