The European Union General Data Protection Regulation

 

When does the EU GDPR apply to human subjects research activities?

Under GDPR, Personal Data refers to any information that can identify, or be used to identify individuals located in the EEA, otherwise known as a Data Subject. The law affords Data Subjects certain rights relating to the Processing of their Personal Data. Processing broadly refers to any use of Personal Data, and includes accessing, storing, combining and even deleting Personal Data. Further, Data Subjects have even greater rights under GDPR with respect to how more sensitive data, such as racial, ethnic, or health-related data, is processed.

Among other requirements, GDPR requires that Data Subjects, including research subjects, be informed about the Processing of their Personal Data. This obligation to inform can be met by providing the proper information in a notice of privacy made available to Data Subjects. Other uses of Personal Data in the research context, specifically the use of more sensitive data, the transfer of Personal Data to the United States, as well as the use of Personal Data to make decisions or predictions that could significantly affect a Data Subject (such as using Personal Data to enroll a Data Subject in a treatment arm of a study), require consent from the Data Subject.

What is Personal Data?

Personal Data is defined as “any information that relates to an identified or identifiable natural person.” Different pieces of information, which, when collected or used together can lead to the identification of a particular person, constitute Personal Data. The following types of Personal Data are some examples of Personal Data:

• A name and surname
• A home address
• An e-mail address of an individual
• An identification card number
• An Internet Protocol (IP) address
• A cookie ID
• Phone identifiers
• Demographic, behavioral or health-related information that could identify a person

Personal Data is more broadly defined than the types of data protected by any one U.S. federal or state privacy law, such as under the Health Insurance Portability and Accountability Act (HIPAA) or the Family Educational Rights and Privacy Act (FERPA).

Coded data, referred to as Pseudonymized Data, is also subject to GDPR. Pseudonymized Data is Personal Data that can no longer be attributed to a specific Data Subject without the use of additional information such as a code key, provided that such additional information is kept separately and is subject to security measures to ensure that the Personal Data used in the research cannot be attributed to an identified or identifiable individual. Though Pseudonymized Data is still subject to GDPR, pseudonymization is an appropriate was to safeguard Personal Data. In fact, GDPR requires that Personal Data be pseudonymized if the purpose of the research can be accomplished by using Pseudonymized Data.

Data about individuals is not subject to GDPR only when it is anonymized.  Anonymization is a high standard under GDPR: all direct and indirect identifiers of an individual must be removed, and the researcher must implement safeguards that ensure that the data can never be re-identified. For data to be truly anonymized under GDPR, the anonymization must be irreversible.

When GDPR Applies: Notice and Consent Requirements

GDPR requires that where Personal Data of a Data Subject in the EEA is collected, used, or accessed for research purposes, the researcher must provide the Data Subject specific information in a notice of privacy and, and under certain circumstances, must also obtain the explicit consent of the Data Subject for certain processing activities.  (See Guidance on GDPR Notice and Consent.)