By Chris Aftzidis & Pau Victoria Menshikoff, Junior Researchers


Initial project idea and first attempts

Our initial idea was to build a network depicting references in academic papers. We wanted to analyse whether there is a difference in how people of different genders reference each other. But as the direction of our research became clearer to us and we decided to set our focus on brilliance bias, we also realised that the network would not help us with trying to investigate that.

Researchers from the ETHOS Lab gave us the idea of looking into the course evaluation surveys here at ITU. That way, we can get insights into how students evaluate professors, and see whether we can link it to our investigation of brilliance bias. We want to see if professors are being judged more harshly depending on their gender, as well as analysing the language used when talking about professors.

After we decided to go down that road, we wrote to SAP for guidance on how to get access to the course evaluation data. Our email was forwarded to the quality manager of ITU and the permission was granted, with the recommendation to email course managers directly and get their data from them.


We were given the legal go-ahead on our project!! Final steps

The idea for the course evaluations was to get a comprehensive sample from full-time professors at ITU. We decided to take the list of professors and write emails to as many of them as we had time to. That way, there would be equal representation of professors from different departments in our data.

A week after we were given the initial permission to get the course evaluation data from the course managers –  and after we had sent around 70 emails – we sent a follow-up to SAP/Legal asking for some additional information we could give to professors who were wondering if sharing their data was GDPR compliant. We were then informed that even though they said we could do it a week prior, suddenly our project was breaking GDPR.


The legal department didn’t like our idea… what now?

After the disappointment of being told that we could not continue with our project, we tried using the resources available to us to find a different solution. At the third pitch and play session in the ETHOS Lab in February, we described our issues in more detail. We were given the idea of asking professors to give us the results of their mid-semester course evaluations, under the condition that they included a checkbox where students could opt in to their data being used for research purposes. This way, we would only get the data of the students that had actively consented, thus not breaking GDPR.

It was decided that we would draft an email to the legal department and send it to some researchers from ETHOS lab to look over and give us the go-ahead to send it. Unfortunately, we didn’t get an answer and missed the small window we had for realising our idea, which was how our project ended.


GDPR and research. Who is responsible?

As the name suggests, GDPR was created to protect the privacy of individuals and ensure that their personal data is processed lawfully, fairly, and transparently.

One of the main conflicts between research and the GDPR is the requirement for informed consent. Informed consent is a fundamental principle of research ethics, and it involves obtaining explicit permission from participants before collecting their personal data. Obtaining informed consent can be challenging in certain research contexts. Specifically, when dealing with data that was collected before the start of the research project, which was the case for us.

The most irritating aspect for us, however, was getting conflicting information from the same sources. That one week of writing on average 30 emails a day, just to end up right where we left off, was incredibly draining. And it could have been avoided if we had just directly been told to not proceed.

A side effect of GDPR that we have noticed throughout the course of this project is that seemingly nobody wants the responsibility of handling sensitive data. We felt as if the responsibility for complying with GDPR was completely put on us, without any additional guidance available.


Final thoughts

Almost a year ago, we applied to this program not knowing what to expect and it exceeded our expectations in all aspects. We grew, both as researchers and as people, and are taking many good memories with us.

While the project remains unfinished, we hope that it is something that we, or someone else, can pick up again in the future.