Have all measures been properly identified? In that case, a privacy officer should present these measures in a clear document as proof to the DPO of your institution, so that they can issue a GDPR-compliancy statement for the research to be carried out.

Recording the measures to be taken is also an obligation under the seventh principle of Article 5 (GDPR Article 5.2 - Accountability). This principle states that it is the controller’s obligation to demonstrate the researcher’s compliance with the GDPR principles in the research project.

Below is an example of the measures to be taken for each of the principles.

AVG Art 5 Principes en Passende Technische en Organisatorische Maatregelen

Source (in Dutch only): Domingus, M. (2021). GDPR Article 5 Principles relating to the processing of personal data and corresponding appropriate technical and organisational measures in the context of scientific research (AVG Artikel 5 Beginselen inzake verwerking van persoonsgegevens en bijbehorende passende technische en organisatorische maatregelen in de context van wetenschappelijk onderzoek). Retrieved from http://hdl.handle.net/1765/134862.

 

Template

A document based on this can be downloaded here (in Dutch only). In this template, the principles are listed on the left, and for each principle, the measures to be taken are described on the right. By completing this template you can ensure that all the principles have been taken into consideration.

 

From ‘have to’ to ‘want to’

For each step in the research design process the following question should be asked: how are the Article 5 principles demonstrated in the research? For example, how does the researcher handle transparency, in what way does the researcher ensure data minimisation, and so on. For each research project, the researcher must think about how the principles are reflected in the research design. And the greater the sensitivity of the personal data involved in the research, the stronger the emphasis should be on safeguarding the principles. 

The principles help to remain in control of the personal data before, during, and after the research. And in the event of an unexpected data breach, the consequences for the researcher and data subjects are minimised if the principles have been demonstrably followed via the taken measures. If the researcher also sees these benefits, then their mindset will change from ‘I have to do all this extra work for the GDPR’ to ‘I want to do the extra work for the GDPR, because by doing so I am not only protecting the fundamental rights of the data subjects but also avoiding the risk of fines, delays, or even stopping my research!