Storing personal data

In research, storage of personal data is one of the most common processing activities. Assuming you have a legal basis to store personal data, you then need to:

  • Choose a storage medium that is GDPR-compliant and that provides a sufficient level of data protection;
  • Take into account procedural and legal aspects, e.g., how will you handle the data once they are stored, and for how long will you store the data?

These aspects of storing personal data are discussed in this chapter.

Chapter summary

Where should I store personal data?

Use a medium that has been approved by your institution. If you work at Utrecht University, and your preferred storage medium is not included in the Storage Finder, then please contact RDM Support or your local data manager to find an alternative solution.

How to store personal data?

  • Apply organisational and technical safeguards, e.g., restrict access, encrypt data, pseudonymise data, specify responsibilities, etc.
  • Store (personal) data preferably in a structured, commonly used, machine-readable and interoperable format: others should be able to open, understand and work with your data.

For how long should I store personal data?

  • Delete or fully anonymise personal data when they are no longer necessary, and preferably determine when you will do this in advance.
  • In research, you can archive personal data that are necessary for validation purposes for a longer period of time, e.g., 10 years or longer.