Framing research under the GDPR

x Sponsored content on Research Live and in Impact magazine is editorially independent.
Find out more about advertising and sponsorship.

We are less than a year away ( 25 May 2018 ) from full entry into the EU General Data Protection Regulation (GDPR), so authorities and legislators across the European Union are starting to give us greater guidance for this new era of data protection. 

For researchers, especially those in the private sector, key questions remain about how personal data collected for research purposes should be treated under the GDPR:

• Do research purposes offer a separate legal gateway for processing personal data?  
• Is commercial research treated the same as other scientific research? 
• How likely is there to be consistency across the EU?

GDPR sets up an EU-wide research regime

The GDPR research regime operates at both EU and national level, and applies to processing for archiving in the public interest, scientific, historical and statistical-research purposes. 

Across the EU, the Article 89 research provision expressly allows:  

• Broad consents for scientific research where consent cannot be secured for all specific purposes at the outset of data collection
• Further use of personal data for scientific or statistical research as a secondary compatible purpose
• The right of data subjects to object to the processing of personal data for research purposes (unless necessary in the public interest)
• Restriction of the right of a data subject to exercise their ‘right to erasure’ if it is likely to significantly impair processing for scientific research purposes
• Relaxation of the storage-limitation principle, granting the data controller the ability to store personal data for longer periods
• Isolated transfers of personal data to third countries, taking into account legitimate expectations of society for an increase in knowledge.

Additionally, researchers – processing for scientific research – do not have to fulfil all the information obligations, if this would involve a disproportionate effort in contacting research participants. When considering proportionality, look at factors such as the number of data subjects and the age of the data.  

Use of Article 89 is subject to certain conditions: 

• Appropriate safeguards to protect the rights and freedoms of the data subject
• Adequate technical and security measures, entrenching the principle of data minimisation and using, as a default, pseudonymised data – that is, personal data that has been processed so it cannot be attributed to a specific subject without the use of additional information, such as a unique identifier
• Compliance with recognised ethical safeguards.

We expect researchers will still need a legal gateway to collect personal data – such as consent or legitimate interests of the data controller – but contrary views have been posed and regulators will need to answer this.

National flexibility for research 

The research regime also allows EU member states to make additional specific provisions on:

• The ability to process sensitive categories of data – national legislation can confirm that scientific research is legal processing grounds for use of this type of personal data, and provision can be made to allow criminal-convictions data to be used in research
• Restrictions on five individual rights – the rights to: access data, rectify inaccurate data, restrict processing and object to processing, and the right of a child to be forgotten can be restricted for research purposes (if necessary for the processing). Each member state can choose which individual rights will be limited in their national law and can independently decide to limit all, none, or some of these rights.

What of the UK? 

The Department for Culture, Media and Sport launched a consultation earlier this year to gather views on how the UK government should exercise its flexibility in implementing the GDPR. A bill setting out the views of the government is yet to be tabled, but it is hoped that any legislation in this area will:

• Set out clear requirements that make specific provision on processing sensitive data and establish restrictions on the five named individual rights 
• Provide clarity that commercial research is within the research regime and a broad interpretation of scientific research purposes
• Explicitly include industry codes of conduct within GDPR-acceptable and recognised ethical safeguards.

We expect the research regime will be applied consistently across the EU, especially the general conditions and safeguards that are put in place for processing. Indeed a harmonised and consistent framework for research across the European Union will also be valuable for the UK to demonstrate adequacy after its formal withdrawal from the EU.

Policy-makers should bear in mind that commercial research already has a strong ethical framework that is responsive to key external changes and keeps pace with technological developments – while placing research participants’ rights at the core. The MRS Code of Conduct and self-regulatory scheme has been in existence for more than 60 years. It has evolved to ensure that the standards are fit for purpose in maintaining professional standards, enshrine the rights and wellbeing of research participants, and encourage best practices that go further than legal compliance. 

In this new environment, researchers must be able to build on this to continue carrying out innovative research for commercial and overall societal benefit. It will be interesting to see what final decisions are made on the new regime. 

Dr Michelle Goddard is director of policy and standards at MRS

NOTE: This article first appeared in July’s issue of IMPACT, so represents the position at that time.