Some data are of a sensitive nature and need special management and attention. This might be research data that contain personal information or data with confidential business information. A third category is research data that need protection because of national or societal security issues. Some data might pose a risk to people, institutions, or the environment if exposed. Like non-sensitive data, these data should be managed according to the FAIR principles.

With the application of the General Data Protection Regulation (GDPR) on 25 May 2018, affecting all researchers in EU member states, strict rules have been imposed on projects that involve data with personal information. Personal data is defined as any information that can identify a person. This includes not only direct identifiers such as names and photos but also indirect information which in combination can lead to identification. The GDPR also defines special categories of personal data which are highly sensitive and which need extra protection, such as information about religious beliefs or health data. It is important to point out that personal information is not necessarily sensitive, but the GDPR applies regardless.

To mention but one principle of the regulation, the principle of accountability states that the data controller, the person who “determines the purposes and means of the processing of personal data” (article 4 no. 7), must demonstrate compliance with all aspects of the GDPR.

You can read more about GDPR here:

If you handle data of a sensitive nature in your research project, following best practice for data handling will be particularly important. In order to manage the data properly, extra care must be applied in the planning phase. In addition to writing a thorough data management plan (DMP) that accounts for safety measures to reduce any risks, you might also be required to perform a formal risk analysis or have the project pre-evaluated by an ethical board.

Even if these measures are not strictly required for your project, it may be good ethical practice to start your project by doing a risk assessment. This task goes hand in hand with writing up a DMP, and may be a useful tool for ensuring the security of your data. A risk assessment describes potential risks and the measures that will be taken to reduce them.

According to the GDPR a Data Protection Impact Assessment (DPIA) is required if the data processed is of a highly personal nature, is extensive in volume, time, or geographic spread, or if new technology will be utilised.

The specific requirements will depend on your local legislation and institutional and funder policies, as well as the discipline. Familiarise yourself with the national/institutional policies that apply to your research to ensure that your practice is within the requirements for managing sensitive data. Consult with the guidelines and Data Protection Officer at your institution if in doubt.

For a discussion on how to share personal data by using a combination of obtaining informed consent, data anonymisation and regulating data access, please see section 7.4 – Archiving personal data.

For more information, we advise you to go through Chapter 5 in CESSDA’s Data Management Expert Guide. This chapter, entitled “Protect”, focuses on the following:

  • Clarification of different legal requirements of the European Union Member States, and the impact of the General Data Protection Regulation (GDPR) on research data management.
  • The supporting role of ethical review in managing your legal and ethical obligations.

    The last part of the CESSDA chapter is on copyright, which you will learn more about in Section 8 of this course, “Rights, licenses and contracts”.

    fieldwork interview

    Recommended reading if you want to learn more: 
    CESSDA Training Team. (2017 - 2020). CESSDA Data Management Expert Guide. Bergen, Norway: CESSDA ERIC. Available at

    Last modified: Tuesday, 20 December 2022, 8:48 AM