Making GDPR easier for research collaborations

David Groep introduces the guidelines published by the AARC project

We want researchers to be able to use resources from multiple e- and research-infrastructures. If the infrastructures have policies in common, their services can trust each other so they can more easily exchange data. This makes it easier for their users to accept the policies no more than once.

However, policies are presented when a researcher joins a community and they must match the requirements of e-infrastructures (such as EGI) and comply with the new GDPR. For example, if you are a Community Manager and you organise users into groups to determine who gets access to what service –  our suite of guidelines can come in very handy. Many of them are co-developed by AARC and EGI.

For those of you worrying about GDPR compliance: remember it is all about striking the right balance between your legitimate need to manage your community and its resources, versus the impact on researchers.

That is what our new guidance helps you do: with federated identity management (FIM),  the data about your members is minimal by design. We have brought together the best of the guidance from each of the privacy regulators across Europe, with a focus on our research communities. So when you set up a research community, broaden your use cases, or extend your services, you should see what the impact on privacy will be. Is it truly “risky”? If your research itself is about people, you will likely need to do a risk assessment. If you are just using your users’ personal data to access services in the infrastructure, the AARC guidelines will make it a lot easier.

We have two documents in this area. The Data Protection Impact Assessment Guide for Communities gives you a set of handles to determine whether or not you fit in the most common scenario. And if you need specific implementation guidance: why not look at the guidance we gave the Life Science community, which is scoped to community needs. If you are in doubt, contact the AARC team and we can work jointly to analyse your needs.

The EGI structure for organising policies has been the basis of the AARC policy starter kit, which is a ‘handbook’ and set of templates you can use to ensure your community’s or infrastructure’s policy meets global expectations. We will continue to expand it to ensure all policy aspects needed for communities and infrastructures become part of that kit. But we need people to work with us so that our policies reflect their needs.

So please feel free to join the EGI security policy group, the WISE community, IGTF or REFEDS to work with us. There’s a limited number of policy experts in the world and we need your engagement to make this activity a success!

David Groep is the Team Leader of AARC’s Policy Team and member of the EGI Security Coordination Group.

More information:

AARC Project Policies

Contact the AARC policy team via aarc-contacts@lists.geant.org