There has been a lot of discussion and debate in various forums regarding how the European Union (EU) General Data Protection Regulation (GDPR), 2016/679/EU [
], which comes into force on the 25th May 2018, will affect research. Anecdotally, a lot of this discussion has been negative and angst ridden; focusing on what will not be allowed after GDPR comes into force.
European Union Regulations are directly enforceable within the EU member states, without the need for domestic legislation, and, regardless of what happens in the United Kingdom (UK) as a result of Brexit, the UK will be part of the European Union on that date and have to comply with the law at that time.
The GDPR has effective since 24th May 2016 [
], having a two year transitional period from the Data Protection Directive (Directive 95/46/EC) [
] that it is replacing. The Data Protection Directive was concerned with ‘the processing of personal data and on the free movement of such data’ (preamble Directive 95/46/EC) [
]. In the UK this was enacted through the Data Protection Act 1998 (DPA 1998) [
The DPA 1998 was based around eight data protection principles (Schedule 1 Data Protection Act 1998) and these principles remain in the GDPR. Indeed the reason for the new legislation is that it is almost 20 years since DPA 1998 became law, and the changes in the way society communicates and the amount of information available about individuals, the way that data can be collected, stored, and the use that information is put to means that the existing legislation is no longer fit for purpose.
Although the GDPR encompasses the original eight principles in the DPA 1998, it applies these objectives to the modern world.
The GDPR is quite a large piece of legislation having 99 Articles, although it can be said to have three main objectives. These objectives are: to provide rules for the protection of the personal data of natural persons and the processing of their personal data; to protect the fundamental rights and freedoms of natural persons, particularly with regard to their personal data; and, to ensure that personal data can move freely within the European Union (Article 1 GDPR).
In short the GDPR is concerned with working practices in the way that personal data is handled and used, including how it is shared. Most of the Articles within the GDPR concern corporations and organisations and the way in which they handle personal data. Much of this will have little effect on individual researchers. However, there are some provisions within the GDPR that will affect researchers directly.
Obviously it is not possible to go through all the Articles in this editorial; however there are common areas that appear to be of concern to many of the researchers I have spoken with. These areas being:
With regard to consent there is a requirement that it be demonstrated that the person has consented to the use of their data, that consent is obtained in a way that is understandable and accessible to the subject, and that there is an opportunity for the person to withdraw from the study at any time: ‘It shall be as easy to withdraw as to give consent’ (Article 7).
Some of the rights that individuals will have include ‘the right to be forgotten’. This means to be able to request, in certain conditions, the compete erasure of their data. It is this right which has caused considerable angst amongst the researchers I have spoken with as it has been taken to mean that data already coded or being reported on will have to be removed. However, this is not necessarily so if the data was lawfully obtained and is still necessary for the purpose for which it was obtained (Article 17): which underlies the need to ensure that consent is adequate for the purpose of the research.
There are specific rules with regard to transferring data outside of the European Union (EU) (Chapter V). These rules exist to ensure that an individual’s rights are not reduced by the laws in the country receiving the data. It does not mean that data cannot be shared outside the EU, only that certain procedures have to be out in place.
There is also a requirement (Article 20) that data is portable, meaning that the individual has a right to receive it in a way that can be read by them. This may mean that researchers have to reconsider how they store subject data.
With regard to children, the provisions (Article 8) relate to ensuring that they understand any information provided to them.
Chapter VIII deals with liability and penalties for breach of the GDPR. The penalties are very severe and any breach has to be reported in a very strict timeframe. However, it needs to be remembered that these are aimed primarily at organisations and not individuals.
Many of the provisions in the GDPR represent what is currently undertaken in research as best practice and encapsulated within research codes of practice, and so should not prove to be too onerous for researchers.
One of the reasons for the concern and angst that is being shown in relation to the GDPR is that there is little official guidance to rely upon. One of the reasons for this is a result of the Brexit negotiations which have delayed the production of the guidance. The Information Commissioner’s Office has a guide to the GDPR (see the link below) which although not currently complete is a living document to the Regulation and updated regularly, and has a very useful ‘what’s new’ section. It should probably be the first port of call for anyone wishing to check a specific aspect of the GDPR and how it may be interpreted in the UK.
25th May 2018 is not far away and it is incumbent upon all researchers to ensure that their research processes will be complaint with the GDPR on that date.
March Cornock is the sole author.
Conflict of interest
None was sought or secured for this editorial.
Provenance and peer review
This editorial was commissioned and not peer reviewed.