Data Conversations - 'GDPR and your research data'

On Wednesday 25^th of April 2018 took place the first edition of Luxembourg’s ‘Data Conversations’ series, themed over the new EU General Data Protection Regulation (GDPR) which provides new and updated rules for the protection of personal data which will become applicable in a month on the 25^th of May 2018. Six speakers and more than 60 researchers and research support officers participated to the event. Attendees came from the various research institutions in Luxembourg, including members of the University of Luxembourg, the Luxembourg Institute of Health (LIH), the Max Planck Institute Luxembourg for International, European and Regulatory Procedural Law (MPI) and the Luxembourg Institute of Socio-Economic Research (LISER).

After a few opening words from the organiser (OpenAIRE and the University of Luxembourg Library), a general overview of the concept of personal data and the key legal changes with the GDPR was presented by Sandrine Munoz (Data Protection Officer, University of Luxembourg). Christian Hutter (Chief Information Security Officer, University of Luxembourg) followed by establishing a link between the GDPR and information security, insisting on the three pillars of information protection: confidentiality, integrity and availability. The ISO 27001 ideas and concepts can help in designing and implementing such privacy measures. Organisational and practical advice were given, for instance getting the habit to encrypt portable devices containing personal data.

Four researchers then presented their case studies of how the GDPR is going to affect their own research. Stéphanie Law (senior research fellow, MPI) outlined the type of research and data collected at the MPI Luxembourg for Procedural Law, including a project on 28 EU member states. She raised the importance of setting appropriate safeguards, including data minimisation and pseudonymisation, as well as the question of transferring data to third countries. Rafaëlle De La Tullaye (research support, Institute of Political Science, University of Luxembourg) presented the ERC-funded project ELWar (Electoral Legacies of War) which handles data from countries inside and outside the EU. In an analogy with the ‘Know Your Customer’ (‘KYC’) policies from the banking world, she emphasised on the importance to ‘Know Your Data’ (‘KYD’), which has positive consequences for a project. She encouraged the habit of sharing all the data in one specific server to favour better communication and highlighted the importance of defining data minimisation and privacy within the designing stage of a project. The manager of the UL High Performance Computing (HPC) platform, Sébastien Varrette, outlined how HPC and Big Data are becoming essential tools for science, society and industry, with varying needs per domains in terms of storage capacity, network performances, etc. Personal data that is/may be visible, accessible or handled from such a platform requires proper security and one priority the UL HPC is now facing is formalising the way security hardening is tackled, by covering specific protection operations in general or in special service-level agreements when dealing with sensitive projects. Lars Wieneke (Head of Digital Research Infrastructure, C²DH, University of Luxembourg) detailed the challenges of the GDPR for biographical data in contemporary history research. Sensitive data is regulated but is sometimes of main interest, for instance in a project on Jewish refugees coming to Luxembourg in the 1930s. Anonymisation and pseudonymisation can hinder disambiguating people in historical documents, and the enhanced rights for erasure or rectification could significantly hamper research activities on subjects such as World War II and the holocaust.

The presentations were followed by an hour of questions and discussion between the attendees and the speakers. This Data Conversations was all about raising awareness and start inducing talks among researchers about the GDPR and their own research data. If you have any further questions and or doubts, liaise with the Data Protection Officer of your institution and/or the Data Protection Coordinator of your research unit.

 
Slides (unless specified otherwise, slides are kindly provided by the speakers for reference only and all rights are reserved)

Sandrine Munoz, ‘General Introduction to GDPR and Research’
Christian Hutter, ‘GDPR, Information Security and Research’
Stéphanie Law, ‘Research at the MPI Luxembourg for Procedural Law’ 

Rafaëlle De la Tullaye, ‘Project ELWar’
Sébastien Varrette, ‘Large-scale research data management at UL HPC’
Lars Wieneke, ‘GDPR legislation and Biographical Data in Contemporary History’