3.4 Safeguards in processing

When it is concluded that there is a legal basis for processing the specific personal data, all processing - in all respects - must be in accordance with applicable rules and instructions. It is the initiator of the processing who must ensure that this happens. The General Data Protection Regulation places very high demands on the person who processes personal data to document how it is carried out. This means that before a personal data project is started, it must be ensured that there are adequate safeguards, that the security is sufficient, and that all those who process the personal data do this in a correct and legal manner. All of this must be done, and it is therefore important to have accurate documentation.

The protection and security measures that should be taken depend on the types of personal data being processed, how sensitive they are, if there is a large amount of data, etc.

Examples of protection and safety measures:

  • Pseudonymization
    If the data being processed are not directly linked to a person, but there is a separate key that links the person to the data, these are pseudonymized. The information is still formally regarded as personal data, but the handling is done with greater security.
  • Encryption and encoding
    The encrypting or encoding of information are ways of minimizing data leakage damage and are recommended as technical protection.
  • Anonymization
    If the data no longer, either directly or indirectly, can be linked to a person, they are anonymous and formally no longer considered personal data (the General Data Protection Regulation does not apply to these). If the work can be carried out using anonymous data, this should be done.
  • Access Control
    Setting up and documenting rules for who should have access to the collected information is an administrative safeguard that should be put in place. This also includes the regulations for who is allowed to do what with the information (i.e. who can read, search and make changes and in which parts of the material?)
  • Certification of personnel working with personal data
    Information and knowledge are important safety measures which are often neglected. To make sure that those who work with personal data are also aware of and comply with the rules for the work is important.
  • Physically separated services, backup, etc.
    To technically protect information from loss in various types of accidents is not a requirement specifically stated in the General Data Protection Regulation, however this may be important to, for example, the individual researcher. An absolute minimum is to ensure that the information is stored in a manner covered by a backup.
  • Erasure
    Personal data no longer required for processing should be erased. Be sure to follow decisions on what to keep and what to erase. If in doubt, ask an archivist for advice.
  • Files with financial data are sent to the bank encrypted according to the international standard ISO 20022 / XML, the so-called SEPA payment.