General Data Protection Regulation (GDPR)
What is the GDPR?
The General Data Protection Regulation (GDPR) is a European law that took effect on May 25, 2018 in the establishment of protections for privacy and security of “personal data” about individuals in European Economic Area (“EEA”)-based operations and certain non-EEA organizations that process personal data of individuals in the EEA.
The EEA includes the following countries:
Austria Belgium Bulgaria Croatia Republic of Cyprus
Czech Republic Denmark Estonia Finland France
Germany Greece Hungary Iceland Ireland
Italy Latvia Lichtenstein Luxembourg Malta
Netherland Norway Poland Portugal Romania
Slovakia Slovenia Spain Sweden United Kingdom
What is considered “personal data”?
“Personal data” refers to any information related to an identified or identifiable natural person (i.e., an individual, not a company or other legal entity), otherwise known as a “data subject.”
Examples of “personal data” include personal names, email addresses, government-issued identification, or other unique identifiers such as IP addresses or cookie numbers, and personal characteristics including photographs, audio and/or video recordings.
- Special categories of personal data
The GDPR highlights some “special categories” of personal data meriting a higher level of protection due to their sensitive nature and risk for greater privacy harm.
This includes information about a data subject’s health, genetics, race or ethnic origin, biometrics for identification purposes, sex life or sexual orientation, political opinions, religious or philosophical beliefs, or trade union membership.
- GDPR and Coded Data
Please note that the GDPR considers “pseudonymized data” (e.g., coded data) to be “personal data” even where one lacks access to the key-code/crosswalk required to link data to an individual data subject. Because this is not consistent with U.S. regulations protecting human subjects, it is important for researchers to be aware of this distinction.
- GDPR and Anonymized Data
The GDPR does not apply to data that have been anonymized. Under the GDPR, in order for data to be anonymized, there cannot be a key-code in existence to re-identify the data. For example, if Syracuse University will serve as the sponsor of a research study with a site located in the EEA and will only receive coded data from the EEA site, such data from the EEA site remains “personal data.” This holds true even when Syracuse University researchers have no access to the key-code/crosswalk required to link data to an individual data subject.
Activities that are subject to GDPR
Activities that involve identifiable information if personal data is being collected from one or more research participants physically located in the EEA at the time of data collection. Of note, the participant does not need to be an EEA resident.
Activities involving the transfer of personal data collected under the GDPR from an EEA country to a non-EEA country (like the U.S.).
It is important to note that activities involving collection of identifiable personal data from individuals who are physically located within the U.S. at the time of data collection — even if the participant is an EEA citizen — are not subject to the GDPR.
Steps to ensure my study complies with the GDPR
- Collect only the absolute minimum personal/demographic data needed to complete the study. If your study can be completed using only de-identified data, then the IRB Office strongly advises you to take this approach.
- Most online survey sites collect personal information, including IP addresses, by default. Ensure that you set up your study to receive only the information you are seeking. To the extent possible, verify that any third-party website or app being used for data collection is GDPR-compliant.
- Use an active (“opt-in”) informed consent. Under the GDPR, consent must be freely given, specific, informed, unambiguous, and explicit. A description of the data processing and transfer activities to be performed, when applicable, must be included in the informed consent document. Following an informed consent description, a “Click next to proceed to the survey” button or equivalent is sufficient for “active” consent for online data collection.
- Any activities that collect identifiable data must have an executable plan to remove data in the event a participant requests to have his/her data removed.
- Your consent form must be compliant with the GDPR requirements listed in the section below.
How does the GDPR affect consent documentation and the consent process?
Many consent requirements under the GDPR are consistent with those that you are already implementing as part of the standard consent processes and documentation. This is the list of the additional GDPR requirements:
- Consent records must include both the time and the date of consent, for each subject. In the case of /oral, online/electronic, or any other type of undocumented consent, the Principal Investigator/Faculty Mentor is responsible for maintaining a consent log that indicates each subject (either by name or study ID number) along with the date and time consent was provided.
- Consent must be explicit and the request for consent must be clearly distinguishable.
- Each subject must have a right to withdraw consent at any time. Each subject must be informed of this right prior to giving consent. Withdrawal of consent must be as easy as giving consent.
- Consent must be an affirmative action. This means that opt-out/passive consent procedures are not permitted.
- Consent information must be provided in clear and plain language in an intelligible and easily accessible format.
- Consent must be freely given. Individuals in a position of authority cannot obtain consent, nor can consent be coerced. This means that faculty members or teachers cannot obtain consent from their own students.
- Consent forms must contain the following information:
- Identity of the Principal Investigator;
- Purpose of data collection;
- Types of data collected, including listing of special categories: Racial or ethnic origin; Political opinions; Religious or philosophical beliefs; Trade union membership; Processing of genetic data; Biometric data for the purposes of unique identification; Health data; and/or Sex life or sexual orientation information;
- The right to withdraw from the research as well as the mechanism for withdrawal;
- Who will have access to the data;
- Information regarding automated processing of data for decision-making about the individual, including profiling;
- Information regarding data security, this includes storage and transfer of data;
- How long data will be stored (this can be indefinite);
- Whether and under what conditions data may be used for future research, either related or unrelated to the purpose of the current study.
In the event of a data breach, please notify the Office of Research Integrity, and Protections immediately so that appropriate steps can be taken by Syracuse University.
Source: Brown University