5.8 Data protection at Data Consumer

The Data Consumer must address and document the data-protection implementation. Before a Data consumer gets access to data, the Data Provider can require to be presented the implementation of the data protection measures stated in Table 16, as an important step in creating trust between the actors.

Table 16: Data protection documentation for data consumer

OverviewPresenting the scope for data usage, handling, and processing, including plans for disseminating the results.Defining the start and end date (if applicable) for data usage.Providing a description of the organisational structure (relevant to the usage of data).Providing an overview of personnel who will have access to data.
LegalAnalysing the responsibilities in the context of data protection and privacy issues, including GDPR and national legal compliance; what legal issues must be handled, and how will this be done? Describing relevant contracts/agreements and the impact on data usage, publication, and further data sharing/exchange.
Status, implementation and assessmentProviding status of the described implementation; is it planned or already implemented? Provide time plan with technical details where applicable.Providing a detailed description of the infrastructure used (for the purpose of analysis, but also intermediate resources used for e.g., downloading, storing, or processing data).Providing incident response plan for data security breaches with risk assessments.Providing relevant internal routines/guidelines, as well as training for personnel.Describing how data is protected from unauthorized (physical and logical) access. Describing the principles for how data access is granted and the data extraction process.