Data Management Plan (DMP)
Home » The GDPR » Main Tools and Actions » Data Management Plan (DMP)

Tom Lindemann (EUREC)

This part of The Guidelines has been reviewed and validated by Marko Sijan, Senior Advisor Specialist, (HR DPA)


What is a data management plan?

A data management plan (DMP) is a key element of good data management and shows a proactive commitment to scientific integrity.

A DMP covers the entire management lifecycle of all data collected, generated or processed by a research project. Usually, a DMP provides information on:

  • the handling of research data during and after a project, including measures to ensure confidentiality, if applicable;
  • which data will be collected, generated and processed;
  • which methodology and standards will be applied;
  • whether data will be shared;
  • how data will be curated and preserved, including after the project;
  • ethics and intellectual property concerns.

In other words, a DMP focuses on the collection, organization, use, storage, contextualization, preservation and sharing of data. More precisely, a DMP outlines which resources are allocated to data management; it identifies and assigns responsibility to data controllers and processors; and it sets procedures for protecting, safeguarding and sharing data. Hence, a DMP assigns responsibilities, allocates resources, ensures adequate data protection and safeguarding, and specifies mechanisms for sharing research data.

With regard to opening up research and sharing research data, the FAIR principles[1] serve as particularly important guidelines. The FAIR principles apply to research data (i.e. the data upon which scientific reasoning processes are based/the evidence supporting claims) and describe how research projects can ensure that research data are as open as possible and as closed as necessary.

The latter provision is particularly important with regard to personal data. Data protection requirements supersede the FAIR principles and invalidate them if research data are personal data. In Europe, data protection requirements are derived from the GDPR, relevant national and international legislation, and institutional guidelines. Importantly, the GDPR contains research exemptions which facilitate using and storing data for research purposes. If personal data are anonymized they can be shared, since anonymous data are information which does not relate to an identified or identifiable natural person, and therefore GDPR does not concern the processing of such anonymous information, including for statistical or research purposes (See “Identification, pseudonymization and anonymization” subsection in the “Concepts” Section of the General Part of these Guidelines). Because the relationship between open science and data protection requires clarification in the current regulatory landscape, researchers should pay close attention to ongoing developments.[2]

Over the course of a project, the DMP should be reviewed periodically and updated whenever changes arise, for example due to new data or the addition of further data controllers or processors. Keeping information up to date ensures that the DMP continues to facilitate good scientific practice during the whole project.

Why should I write a DMP?

Although research projects are not legally obliged to adopt DMPs, they should do so for at least three reasons:

  • DMPs help researchers to comply with data protection legislation and to follow best practices in opening up research data. In this way, they provide guidance, reduce uncertainty and increase transparency.
  • Research funding organizations increasingly make funding conditional on the sharing of research data, in order to support reliable, transparent and cumulative research.
  • The guidelines of many research institutions encourage researchers to write DMPs.

Am I legally obliged to have a data management plan?

Although writing a DMP is not currently a legal requirement in the European research context, it has become a core element of good scientific practice. Many research funding organisations expect grant recipients to develop a DMP in order to promote sound data management. One reason is that data management is becoming increasingly complex, as ever more data can be processed and the number of multi-centre projects continues to rise. As a result, research projects involving data processing should have a DMP that governs data processing of the whole project. Therefore, as an example of best practice, there should be one DMP per project to which all partners can refer for guidance.

When should I write a data management plan?

DMPs should be written before or at the beginning of a research project, and be reviewed at regular intervals during the project. Adjustments should be made during these reviews, or whenever necessary due to significant changes, such as the use of new data, the use of data for different purposes or the addition of new data controllers or processors. As such, DMPs should be ‘living documents’ that constantly evolve over the course of a project. Data management, in other words, should be a priority during the entire project.

Who, if anyone, reviews or approves my data management plan?

A DMP does not typically need the approval of a Data Protection Officer (DPO) or an institutional authority. However, the precise obligations that research funding organizations or institutional guidelines impose may vary. As DMPs describe the data management practices of research projects in detail and allocate responsibilities, they often include information on who the relevant DPOs are, especially in projects that process personal data. In such cases, it often makes sense to involve DPOs in the drafting process. Moreover, DPOs are typically a good source of advice and can often help researchers to adhere to all pertinent legislations and standards of good practice.

Besides, research funding organizations may view DMPs as formal project deliverables that should be submitted, and which subsequently are reviewed by experts who may request changes. Approval mechanisms, consequently, vary depending on circumstances and contractual obligations.

What is the legal standing and coercive force of data management plans?

DMPs are not legally binding. Instead, they provide guidance, increase transparency and help researchers follow relevant legislation, like the GDPR. The coercive force rests primarily in the legal instruments (e.g. data protection law, cybersecurity regulations) and agreed-upon guiding principles (e.g. FAIR data management principles) that the DMP specifies for concrete research projects, but not in DMPs themselves.

Research funding organizations increasingly make the disbursement of funds conditional on proper research data management, which adds ‘teeth’ to DMPs as an instrument. However, this does not change their formal legal status.

Where can I get help with writing a data management plan?

As good data management has become a core element of good scientific practice, resources helping researchers to develop DMPs have proliferated. For example, DMPs for projects funded by the European Commission under the Horizon 2020 research and innovation programme should follow the template provided here and include information explained here. If you submit your proposal to another funder you should check whether they offer guidance or have formulated specific requirements. Other useful templates and guidelines are provided by, among others, the Digital Curation Centre, DMPTool of the University of California (focused on the USA), OpenAIRE, the Go-FAIR initiative, the Research Data Management Organizer and various universities. Before writing a DMP, it is worth checking if your university or research institute has developed a DMP template. Data Protection Officers – in case personal data are concerned – or Research Ethics Committees might also be able to help formulating your DMP.

Helpful YouTube videos are provided by, for example, OpenAIRE (here and here), the New York University Health Sciences Library (here) and UK Data Service (here). Regular webinars and trainings on research data management are offered by the Consortium of European Social Science Data Archives (CESSDA); see here.

However, it is important to emphasize that many of these resources contain little information on which research data should be considered personal data, and to which, therefore, the requirements of open science only apply with major qualifications. We recommend not following the templates and recommendations linked above blindly, but consider your own particular data protection requirements. Your DMP should always outline which data will and which data will not be shared, and explain why sharing the latter data is not possible. Importantly, anonymized personal data can be shared as they are no longer considered personal data. Personal data, on the other hand, cannot be shared unless a lawful basis permits otherwise. Existing policies, such as the “Privacy Policy” of an institution can be mentioned in the DMP to underline your institution’s commitment with the questions concerned.

Who should write a DMP?

Every researcher dealing with data might write a DMP to facilitate their own research, comply with principles of scientific integrity and make potential conflicts and issues with data management visible early on. In a research consortium one person should be responsible, but especially in inter- and transdisciplinary research projects everybody should be involved, to take into account different disciplinary perspectives and needs. 



1According to the FAIR principles research data should be findable, accessible, interoperable and reusable. They are described in an article by Wilkinson et al. that can be accessed here.

2This can, for instance, be done by checking the European Data Protection Supervisor’s or the European Data Protection Board’s website for hints or an opinion on “data protection and scientific research”.

Skip to content