The winding road to GDPR compliance
The EU General Data Protection Regulation (GDPR) is a binding legislative act. It was adopted on April 27, 2016 and became applicable after a two-year transition period on May 25, 2018. FSD thoroughly prepared for the GDPR implementation. Contract texts were changed, policies were adapted to the regulation, and training was organised both internally and externally. The path to implementing the regulation has been eventful. It is impossible to cover all the details in one article without the risk of boring the reader. However, a few examples along the way may be interesting to hear.
New Practices and Accountability
A new Agreement on the conditions of personal data processing was drawn up in 2017 and a new GDPR compliant Data Deposit Agreement was published in April 2018. FSD’s Privacy Policy was completely rewritten in accordance with the GDPR, and all customers were informed about the policy.
As a concrete measure, FSD also made a policy decision to delete the data files originally submitted to FSD for archiving after the archival process is complete, as the original files sometimes contain personal information. As of May 2018, FSD has kept only the curated data files. These are processed for long-term preservation and their re-use and future understandability are granted.
However, merely renewing administrative documents and contracts was not enough. In order for GDPR compliance to become "business as usual", FSD organized fourteen internal trainings for its staff in 2017 and 2018. The fear felt at the beginning turned into insight and a sensation of learning something new. While many researchers were still irritated and uncertain about the application of the regulation, the FSD staff was already able to guide them calmly and in good spirits. Today, complying with the GDPR regulation is an obvious part of FSD’s daily work.
Accountability is a key principle of the GDPR. It means that the data controller must be able to demonstrate compliance with data protection legislation. To this end, FSD started releasing an annual Data Balance Sheet in 2017. These reports cover the processing and handling of personal data, as well as technical and organizational data protection measures. The reports include, among other things, a general description of the anonymization done on datasets and documentation of possible personal data breaches and the related process. These documents are openly available to anyone.
Guidance and Training
The Data Management Guidelines is one of FSD’s most popular services. The online handbook has been published in both Finnish and English. It offers concrete and up-to-date guidance for managing digital research data throughout the entire data lifecycle. The handbook is a great way to guide researchers to follow the new and evolving interpretation of legislation. The chapter “Anonymisation and Personal Data” was fully updated and the chapter “Informing Research Participants about the Processing of Their Personal Data” was rewritten in accordance with the regulation’s recitals and articles concerning the rights of the data subject.
Before the Covid-19 pandemic, online events were mostly the exception, and researchers were eager to hear about the new legislation and about the possibility to ask questions in person. During 2018-2019, FSD’s experts gave presentations on data protection at 23 events in Finland. Some were international conferences, while others were local and organized, for instance, to serve a single university.
The finishing touch for FSD’s GDPR work was provided by the Finnish National Board on Research Integrity. It invited FSD’S development manager to lead a working group tasked with updating the ethical principles and ethics review guidelines in the human sciences in Finland to comply with the GDPR.
Text: Arja Kuula-Luumi. Image: TheDigitalArtist (Opens in a new tab) under CC0 (Opens in a new tab) . (Modified from the original.)
