Merge pull request #128 from elixir-europe/g-data-protection

Add Data protection guidance + correct IT security guidance page markdown

Author: nicjar

_data/sidebars/guidance.yml

@@ -13,6 +13,8 @@ subitems:
     url: /g-support-networks
   - title: Creation of a legal framework
     url: /g-legal-framework
+  - title: Data protection compliance
+    url: /g-data-protection
   - title: IT security
     url: /g-security
 

pages/guidance/g-data-protection.md

@@ -0,0 +1,77 @@
+---
+title: Data protection compliance
+description: How to be compliant with data protection legislation
+contributors: [Hana Marčetić, Heleri Inno, Aída Moure Fernández, Mijke Jetten, Jana Martínková, Diana Pilvar, Niclas Jareborg]
+page_id: g-data-protection
+type: [Guidance]
+related_pages: [mm-data-gdpr]
+---
+
+## Context
+
+Building on the *Legal Framework for Research Data* guidance, this section expands on data protection compliance, specifically focusing on the General Data Protection Regulation (GDPR). Guidance regarding procedural and technical measures to protect data is provided on the *IT security* guidance page. Data protection is part of responsible research practices; the new legislative framework regulates specifically how personal data can be shared and handled with regard to the data subject’s privacy.
+
+GDPR defines two categories of data, namely ***personal data*** and *special category data*, often referred to as ***sensitive data***, where special catagory data is a subset of personal data. This law applies to data regarding all residents of the European Union (EU), regardless of whether or not their data is processed within or outside the EU, and legally binds all Member States, as well as those outside of the EU that process personal data of EU residents.
+
+In practice, compliance with the data protection legislation is overseen by a **Data Protection Officer (DPO)**. According to the European Data Protection Supervisor, “the primary role of the Data Protection Officer (DPO) is to ensure that the organisation processes the personal data of its staff, customers, providers or any other individuals (also referred to as *data subjects*) in compliance with the applicable data protection rules.” All organisations, regardless of size or type, that handle EU residents’ personal information should appoint a DPO responsible for monitoring GDPR compliance. Whether a person can take on the DPO’s tasks internally or a dedicated DPO must be hired depends on meeting one of these criteria: being a public authority, carrying out large-scale, regular monitoring of data subjects or processing large-scale special categories of personal data as a core activity.
+
+In most countries, there are no strict rules on when a DPO must be hired, but national legislation may provide specific guidance. Similarly, there are currently no EU-wide formal qualification requirements for the role, though expertise in data protection law and practices is expected.
+
+Please be aware that this chapter does not replace legal advice and seeking out qualified legal help is strongly advised where necessary.
+
+Relevant links: 
+
+* [European Data Protection Board guidelines, recommendations and best practices](https://www.edpb.europa.eu/our-work-tools/general-guidance/guidelines-recommendations-best-practices_en)   
+* [GDPR Designation of the data protection officer](https://gdpr-info.eu/art-37-gdpr/)  
+* [European Data Protection Supervisor’s DPO guidance](https://www.edps.europa.eu/data-protection/data-protection/reference-library/data-protection-officer-dpo_en) 
+
+## Guidance
+
+Data protection in research ensures that personal and sensitive data are processed in compliance with the GDPR and related legislation, safeguarding privacy, ethical integrity, and trust. Effective data protection compliance requires a structured, proactive approach that embeds legal requirements into the daily research data lifecycle. While data stewards are not legal experts, they are essential in recognising risks, advising on data protection procedures, and connecting researchers with the Data Protection Officer (DPO) or relevant institutional authorities. These guidelines focus on four drivers: **clarity of roles, accessible procedures, contextual guidance, and continuous improvement**.
+
+### **1\. Establish Foundational Roles and Resources** 
+
+These actions ensure that the organizational structure, roles, and necessary tools are clearly visible and accessible to researchers and staff. Data stewards facilitate compliance by connecting researchers with the appropriate institutional experts. They are the ones who know when to contact the legal or DPO teams, serving as translators between researchers and these experts.
+
+✔ **Define and Empower the Data Protection Officer (DPO)**
+
+* Map responsibilities for data protection across researchers, data stewards, DPOs, ethics committees, and legal advisors.  
+* Provide a one-page overview of responsibilities, highlighting what tasks belong to the DPO versus the data steward, Principal Investigator and IT staff. Clearly communicate the mandates of the different roles (consultation, monitoring, impact assessment).  
+* Offer regular, role-specific training to ensure these individuals understand their duties regarding data handling and security.  
+* Keep contact details for the DPO and related offices (Legal, TTO) visible in onboarding materials, presentations, intranet pages, and RDM pages.  
+* Provide the DPO with executive support to enforce compliance across departments (if that is in the mandate of the DS role).
+
+✔ **Centralize and Standardize Documentation**
+
+* Create and maintain a single, easily accessible information resource that collects and/or refers to all mandatory compliance templates and guidance (e.g., Data Protection Impact Assessment (DPIA) forms, Records of Processing Activities (ROPA) documentation, and consent templates).  
+* Ensure templates and documentation are actively reviewed and updated by the DPO and legal counsel.
+
+### **2\. Integrate Compliance into the Research Workflow**
+
+The focus here is to move from reactive compliance to proactive involvement by making compliance checks mandatory parts of research milestones.
+
+✔ **Mandate DPO Involvement at Project Initiation**
+
+* Establish a mandatory pre-screening procedure for all new projects or grant applications to identify whether personal or sensitive research data is involved.  
+* If personal/sensitive data is identified, the project must consult with the DPO or Legal Counsel before the final grant submission or ethics review.  
+* Build simple tools (e.g., a mandatory online project registration form) that automatically flag high-risk projects and initiate the DPIA process early in the planning stage.  
+* Ensure the ROPA entry for any project handling personal data is created and reviewed as part of the formal project approval process.
+
+### **3\. Ensure Ongoing Assurance and Continuous Improvement**
+
+These steps ensure that compliance is maintained throughout the project lifecycle and that the overall system is regularly audited and optimized.
+
+✔ **Implement Regular Auditing and Evaluation**
+
+* Support the DPO in performing ongoing evaluation of compliance procedures and systems, reporting findings to top leadership.  
+* Establish a schedule for conducting regular internal or external audits to assess compliance levels on a sample of ongoing RD projects.
+
+✔ **Formalize Data Subject Rights Exercise**
+
+* S.Support the DPO in creating a documented process for Data Subject Rights (e.g., access or erasure). This process should be clearly publicized and include specific steps for receiving, logging, and responding to requests.  
+* Ensure that Data Stewards are trained and prepared to help execute these rights in a timely and compliant manner.
+
+✔ **Use Audit Results to Drive Optimization**
+
+* Utilize findings from audits and Data Subject Rights requests to identify weaknesses in templates, policies, or training materials.  
+* Regularly communicate system improvements and policy updates, demonstrating that the institutional approach to data protection is evolving based on identified needs.

pages/guidance/g-security.md

@@ -17,46 +17,49 @@ Mature IT security emerges when policies are documented, staff are trained regul
 Data stewards play a pivotal role in bridging the gap between researchers and IT professionals—helping to embed data security concerns into research culture and daily practice. The mission of a data steward is to facilitate adoption of data security practices while still enabling  awareness, practical guidance, and embedding security into workflows.
 Furthermore, data stewards play a vital role in adapting institutional security policies to the realities of the research environment. This input is crucial, as Information Security Officers (ISOs) often come from business-oriented backgrounds that may not align with the unique workflows and openness required in a research institute.
 
-1. Promote awareness and visibility of IT security support and guidance
+**1\. Promote awareness and visibility of IT security support and guidance**
 
-✔ Promote presence at the institutional level
+**✔ Promote presence at the institutional level**
 
-Include references to IT security policies and procedures into institutional RDM and DMP guidelines.
-Include IT security guidance in onboarding and offboarding materials and general training portfolio.
-Share reminders about security practices via newsletters or internal communications.
+* Include references to IT security policies and procedures into institutional RDM and DMP guidelines.  
+* Include IT security guidance in onboarding and offboarding materials and general training portfolio.  
+* Share reminders about security practices via newsletters or internal communications.
 
-2. Foster a Security-Conscious Culture
+**2\. Foster a Security-Conscious Culture**
 
-✔ Make it normal and safe to report potential vulnerabilities or mistakes.
+**✔** Make it normal and safe to report potential vulnerabilities or mistakes.
 
-Encourage staff to ask about risks, reporting incidents, or implementing security measures. As a data steward, researchers are more open to share their IT security questions and doubts in face-to-face meetings, e.g. project planning kick-offs or DMP review.
-✔ Offer simple checklists or templates for common tasks.
+* Encourage staff to ask about risks, reporting incidents, or implementing security measures. As a data steward, researchers are more open to share their IT security questions and doubts in face-to-face meetings, e.g. project planning kick-offs or DMP review.
 
-✔ Track issues and responses
+**✔** Offer simple checklists or templates for common tasks.
 
-Analyse data management help desk questions/requests for potential security gaps or incidents to identify areas for improvement
-Use this information to refine guidance, training, or tools or notify IT security of problems.
-Communicate updates to procedures, templates, or IT tools that result from staff input.
+**✔ Track issues and responses**
 
-3. Integrate IT security into research workflows
+* Analyse data management help desk questions/requests for potential security gaps or incidents to identify areas for improvement  
+* Use this information to refine guidance, training, or tools or notify IT security of problems.  
+* Communicate updates to procedures, templates, or IT tools that result from staff input.
 
-✔ Position security guidance at key research milestones
+**3\. Integrate IT security into research workflows**
 
-Align security checks with research project registration, data collection, storage, sharing, or long-term preservation.
-Ensure access controls, and risk assessments are applied at the right time.
-Translate high-level policies into actionable steps for researchers (e.g., password management, MFA, secure file storage).
+**✔ Position security guidance at key research milestones**
 
-4.  Establish collaboration with your information security office
+* Align security checks with research project registration, data collection, storage, sharing, or long-term preservation.  
+* Ensure access controls, and risk assessments are applied at the right time.  
+* Translate high-level policies into actionable steps for researchers (e.g., password management, MFA, secure file storage).
 
-✔ Clarify roles and expectations in your relationship with information security office
-Share domain specific requirements and standards.
-Assess impact of new security measures on researchers and their activities.
-Contribute to policy development and awareness campaigns.
+**4\.  Establish collaboration with your information security office**
 
-✔Collaborate with IT security  when introducing new tools for research data management
+**✔** Clarify roles and expectations in your relationship with information security office
 
+* Share domain specific requirements and standards.  
+* Assess impact of new security measures on researchers and their activities.  
+* Contribute to policy development and awareness campaigns.
 
-✔ Establish a communication channel with information security office, ensuring regular exchanges
-When a data steward notices a possible security issue, they should raise alarms and forward the issue to IT security contact.
-To effectively identify areas for improvement, Data Stewards must collaborate with IT Security on a regular basis (e.g., every 3–6 months). These joint reviews of incident logs and recurring security questions ensure that the Steward is informed of real-world gaps and can adjust guidance accordingly.
-Ensure your collaboration framework is documented and inform management about it.
+
+**✔**Collaborate with IT security  when introducing new tools for research data management
+
+**✔** Establish a communication channel with information security office, ensuring regular exchanges
+
+* When a data steward notices a possible security issue, they should raise alarms and forward the issue to IT security contact.  
+* To effectively identify areas for improvement, Data Stewards must collaborate with IT Security on a regular basis (e.g., every 3–6 months). These joint reviews of incident logs and recurring security questions ensure that the Steward is informed of real-world gaps and can adjust guidance accordingly.  
+* Ensure your collaboration framework is documented and inform management about it.