GDPR and the research process: What you need to know

On 25 May, 2018 the new General Data Protection Regulation (GDPR), EU regulation 2016/679, took effect and now governs the processing of personal data. The purpose of the GDPR is to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to encourage the lawful free flow of data across Europe. In the same vein, the GDPR also impacts scientific research activities. The GDPR lays down general principles as well as provisions relating to specific data processing situations, such as scientific, historical, statistical, and health research.

Types of data affected by the GDPR

Personal data: Data relating to a natural person (data subject) who can be identified by reference to an identifier such as a name, an identification number, location data, an online identifier.

Sensitive personal data: Information relating to an individual’s racial or ethnic origin; political opinions; religious beliefs; trade union membership; health data; sexual life; genetic data; biometric data and criminal offences.

Pseudonymized data (these are still personal data): Personal data that can no longer be attributed to a specific data subject without the use of additional information; this additional information must be kept separately.

Anonymized data  (these are not personal data anymore): Information that does not relate to an identified or identifiable individual or personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.

General principles that govern the GDPR

1. Lawfulness, fairness, transparency

There are, in total, six bases that ensure lawful processing of personal data, excluding sensitive data. The most likely applicable to research purposes are: public interest; the data subject’s consent;  and legitimate interests. In this context, consent must be freely given and it should be specific, informed, unambiguous and affirmative.

Sensitive personal data can be processed when one of the six non-special category personal data lawful bases applies, the essence of data protection rights is respected,  and suitable safeguards and protections are put in place. Many of these safeguards are already part of the research process, such as data minimization (only processing personal data that’s necessary), pseudonymization, anonymization, and data security.

The requirement of fairness and transparency begins with the data collection and is applicable throughout the data life-cycle. Fairness requires taking into account how the use of personal data affects the interests of the individuals (data subjects), while transparency refers to providing participants with the following information:

• the data controller's identity and contact details;
• the personal information held about the data subject;
• how personal information is collected from the data subject;
• the purpose of the processing;
• the lawful basis/bases being used to justify the processing;
• with whom personal data will be shared;
• the duration for which the personal data will be retained;
• whether personal data will be transferred outside the EEA;
• the possibility of lodging a complaint with a supervisory authority.

The information provided to participants should be concise and in clear and plain language.

2. Purpose limitation 

Personal data can only be collected and processed for specified purposes; it is not allowed to use the data for other purposes (i.e., ‘further processing’) incompatible with those original purposes.

3. Data minimization

This data protection principle is intended to prevent the collection of unnecessary personal data, but also applies to all aspects of processing. This means, ensuring that the data is suitable for your purposes, restricting access to personal data, and considering whether anonymised, aggregated or pseudonymised data is sufficient for your research purposes.

4. Accuracy

Every reasonable step should be taken to ensure that personal data is accurate (and inaccurate data is deleted or rectified) and where necessary kept up-to-date.

5. Storage limitation

The GDPR states that personal data should be kept identifiable only for as long as necessary to fulfill your research purposes. Participants must be informed about the retention period, or at least its basis and rationale (if not the precise detail).

6. Integrity and confidentiality

Throughout the data life cycle, you must take appropriate technical and organizational measures to protect personal data against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Security measures should ensure that (a) only authorized people can access, alter, disclose or destroy personal data; (b) those people only act within the scope of their authority; and (c) if personal data is accidentally lost or destroyed it can be recovered to prevent any damage or distress to the individuals concerned.

7. Accountability

You must be able to demonstrate compliance with the GDPR principles. Hence, it is essential that any policies or procedures you adopt in order to comply with data protection requirements are documented. Further, you are required to keep a record of your processing activities. More specifically, the record of processing activities should include:

• the categories of data subject from whom you collect the data;
• what types of data you collect; what other parties the data is shared with, and, if applicable, details of any
• transfers of personal data to a third country (i.e., outside the EU);
• the time limits for erasure;
• and a general description of security measures. 

Transferring personal data under the GDPR

The GDPR prohibits the transfer of personal data to countries outside of the EU, unless specific safeguards are implemented, or if the data subject has provided explicit consent after being informed of the risks related to the transfer.

You may also transfer data to countries the European Commission considers to ensure an adequate level of protection for data subjects. In addition, a transfer to a US company that has been certified under the EU-US Privacy Shield Framework will be regarded as legal under the GDPR. To date, this applies to the following countries: Andorra, Argentina, Canada (for commercial organisations), Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand and Uruguay.

Using international cloud-based services, such as Dropbox, may involve a transfer of personal data outside the EEA. Even if the service in question has signed up to the EU-US Privacy Shield, it may not be appropriate to use such a service, since the terms and conditions tend to be one-sided, and are unlikely to be sufficient to meet all obligations under the GDPR.

GDPR and Open Science

GDPR has a dual objective, protecting the data subject and, at the same time, increasing the free and lawful flow of data. By adhering to the GDPR principles, the research community is able to ensure maximum protection of personal data while maximizing the potential of opening research to the world.