What to do when being responsible for data protection in your lab, yet advice is ignored?
There is a trove of documents from Microsoft with advice on GDPR compliance, such as "Windows and the GDPR: Information for IT Administrators and Decision Makers" and has a pretty thorough explanation of what data moves where.
According to the document itself, it takes 17 minutes to read. I think you'll feel better after you've done so.
There's a lot of paranoia about Microsoft, some of it possibly justified, but the hard fact is that MS cannot afford to ignore the GDPR or, in the U.S., HIPAA.
I did read the answer in Information Security SE, and did not find it helpful; the quotation from MS has to do with disclosure of data as required by law or legal process.
Edit: I think I should add a little more background. I am in a PhD position actually hired for doing research. Yet due to my background in computer science, I am 'officially' responsible for everything related in our lab to electronic data processing.
First, I think there is a serious management issue in your lab: leaving the responsibility of data protection to a PhD student is completely unprofessional. As a PhD student you could certainly have a technical advisory role, but it must be a permanent member of the institution who has the official responsibility. If a problem arises, whoever put you in charge of this will certainly have to explain why they thought it was appropriate. The good news for you is that it's very unlikely you would be considered legally responsible anyway (usual disclaimer: IANAL).
Second, skills in computer science [edited] might be useful but are certainly not sufficient when it comes to the legal and ethical concerns of data protection, especially with sensitive data on human subjects. Even with the best intention, you simply don't have the legal background. Whose job it is then? There are several options, probably not in your lab but at the level of your university/institution:
- The IT department: that's the ones you ask about software vulnerabilities and recommendations regarding data protection.
- The ethics committee: you can ask them for guidelines about the appropriate level of protection required for specific human subjects data. Btw normally whoever in your lab who works with this kind of data should get ethics approval before they start their project.
- The data protection office or if not present the legal office: they can inform you and your colleagues about their legal duties regarding the human subjects data.
These departments in your institution have the professional skills and legal responsibility. You protect yourself by asking their advice and following it: if they say that Windows 10 is fine, you are off the hook. If they say it's not safe, your only job is to convey their recommendation to your colleagues, mentioning where it comes from.
Your university should have some sort of data privacy compliance office. You absolutely need to talk to them. Well-meaning advice from strangers on the internet is great for giving you an idea of what the issues are but there is potential legal liability for the university here and you must talk to the people whose job it is to manage these issues.