How should I store personal data?

On this page: access control, accountability, interoperability, interoperable, separate, anonymise, pseudonymise, de-identify
Date of last review: 2022-06-02

Once you have chosen a suitable storage medium, you should act in accordance with the nature of your data as well, for example through:

  • Controlling access: make sure that only the necessary people have the right kind of access (e.g. read/write) to the personal data, and remove their access when they do not longer need it (e.g. when someone leaves the research project).
  • Specifying responsibilities, e.g. who is responsible for guarding access to the data on both the short and the long term? Make people aware of the confidential nature of the data. Tell them what to do in case of a data breach.
  • Procedural arrangements, e.g. capture access conditions in agreements like the consortium agreement, data processing agreement or non-disclosure agreement.
  • Storing different types of personal data in different places, e.g., research data should be stored separately from data subjects’ contact details.
  • Applying other safeguards where appropriate, e.g., encryption, pseudonymisation or anonymisation, etc.).

See Designing a GDPR-compliant research project for more tips.

Personal data should be stored in a “structured, commonly used, machine-readable and interoperable format” (rec. 68). In practice, this means that you should consider whether your files are structured and named in a logical way, use sustainable file formats, and provide understandable metadata so that others can interpret the data. You can read more about this in the RDM guide “Storing and preserving data”.