What is the GDPR?
The General Data Protection Regulation is a European Union (EU) regulation designed to protect the privacy rights of individuals located in the European Economic Area (EEA), which includes the European Union, Iceland, Norway, and Lichtenstein. An individual need not be a citizen of a country in the EEA to be protected by the GDPR.
GDPR replaces prior EU privacy regulations and goes even further than benchmark United States privacy laws governing health care and educational records, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Family Education Rights and Privacy Act (FERPA).
When does the GDPR apply to human subjects research?
JMU researchers must comply with GDPR requirements when Personal Data of research subjects located in the EEA is collected or used by the JMU research team. Therefore, when GDPR applies, research subjects must be informed about the use of their Personal Data, and, where required by the GDPR, consent to the use of their Personal Data.
What is Personal Data?
"Personal Data" is defined as "any information that relates to an identified or identifiable natural person." Different pieces of information, which, when collected or used together that can lead to the identification of a particular person, constitute Personal Data. The following types of Personal Data are some examples of Personal Data:
- A name and surname;
- A home address;
- An e-mail address of an individual;
- An identification card number;
- An Internet Protocol (IP) address;
- A browser or Internet cookie ID;
- Phone identifiers; or
- Demographic, behavioral or health-related information that could identify a person.
Personal Data is more broadly defined under GDPR than the types of data protected by any one U.S. federal or state privacy law, such as under the Health Insurance Portability and Accountability Act (HIPAA) or the Family Educational Rights and Privacy Act (FERPA).
"Pseudonymized Data," or coded data, is Personal Data that can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and is subject to security measures to ensure that the Personal Data used in the research cannot be attributed to an identified or identifiable individual.
GDPR considers Pseudonymized Data to be Personal Data even where one lacks access to the key-code required to link data to an individual data subject. This varies from U.S. privacy laws. For example, HIPAA provides a list of 18 data identifiers that, when removed, would render the data "anonymous." However, under GDPR even if a data set removes all 18 identifiers that would render data de-identified under HIPAA, the data may still be subject to GDPR if it relates to individuals in the EEA.
Though Pseudonymized Data is still subject to GDPR, pseudonymization is one way JMU can safeguard Personal Data. In fact, GDPR requires that organization consider pseudonymization as a security measure when appropriate.
What are the GDPR Requirements?
When GDPR applies, GDPR requires the researcher to provide the subject with specific information in a notice of privacy and, under certain circumstances, must also obtain the explicit consent from the subject for certain processing activities.
Notice Requirements
When Personal Data of an individual in the EEA is collected, used, or accessed for research purposes, GDPR requires that individuals be informed of the following information:
- The specific types of Personal Data collected and processed;
- The reasons, or purposes, for using the individual’s Personal Data (i.e., using the Personal Data in order to conduct the research study);
- The expected duration for retaining Personal Data;
- The types of entities or individuals who will have access to or receive the Personal Data;
- A description of the individual’s rights under GDPR (which should also include language that informs the Data Subject that their Personal Data will be protected under GDPR and how withdrawal of their consent to participate in the study will affect JMU's subsequent use of their Personal Data);
- Notice that his or her Personal Data will be available in the United States (or other countries outside the EEA), and a description of how JMU will protect the personal data;
- If Personal Data is being used to make decisions about the person or to create a profile, relevant information (this is discussed in more detail below); and
- Contact information for JMU and the local privacy officer.
This information must be provided to Data Subjects located in the EEA in any research study that involves collecting or using their Personal Data.
If the Personal Data of an individual located in the EEA is used in research, where the Personal Data is provided to JMU by a third party, individuals also must be informed of:
- The source of the data; and
- A description of the categories of personal data.
The IRB advises investigators to include the above-referenced information in the informed consent document presented to subjects.
Consent requirements
In addition to giving research subjects notice of the information required above, GDPR also requires that Data Subjects provide consent to certain Processing activities. GDPR stipulates that consent must be freely given, specific, informed and an unambiguous indication that the Data Subject has consented to the particular Processing of Personal Data.
Each scenario requiring consent is discussed in more detail below.
1. Special Categories of Personal Data
Certain types of Personal Data require additional protection under GDPR. Generally, when research involves Special Categories of Personal Data, the individual must explicitly consent to the use of this data for a given purpose. GDPR explicitly identifies the types of Personal Data that constitute Special Categories of Personal Data, which are:
- Racial or ethnic origin;
- Political opinions;
- Religious or philosophical beliefs;
- Trade union membership;
- Genetic data;
- Biometric data for the purpose of uniquely identifying a natural person;
- Health-related data; and
- Sex life or sexual orientation.
If any Special Categories of Personal Data of an individual in the EEA is collected, used, or accessed for research purposes, the researcher must obtain explicit consent for the use of that sensitive data from the Data Subject. This can be accomplished by ensuring that the Data Subject is informed of the use of the specific Special Category of data, the purpose of the use (i.e., to conduct the research study, which is summarized for the Data Subject), and requiring that the Data Subject consent to participation in the research study.
2. Personal Data Transfers to the United States
When JMU researchers collect Personal Data from individuals in the EEA and intend to access the data in the United States, or transfer the data to the United States, generally, the researcher must obtain the explicit consent of the Data Subject. Thus, in most, if not all scenarios in which a researcher is collecting Personal Data, consent to transfer the data to the U.S. will be required. In addition to obtaining consent of the individual, GDPR requires that the Data Subject also be informed that the United States does not protect Personal Data in the same manner as Personal Data may be protected in the EEA. Note that if a JMUresearcher is not collecting the Personal Data, but is instead receiving or using Personal Data collected or obtained from a researcher or institution in the EEA, standard contractual clauses approved by the European Commission should be included in any underlying agreements between JMU and the EEA researcher or institution providing the Personal Data. Thus, though individuals do not need to consent to the transfer, they must still be informed by JMU that their Personal Data is protected through one set of standard contractual clauses, and they have the right to obtain a copy of the clauses used to protect their Personal Data. This can be accomplished, for example, by referring the Data Subject to a publicly-available Statement of Privacy related to JMU's research uses of data that includes such language.
3. Personal Data to Assign Subjects to Different Treatments
GDPR gives Data Subjects the right not to be subject to a decision based solely on the automated processing of their Personal Data, where there is a legal or similarly significant effect on the person. A decision is based solely on automated processing when there is no meaningful human involvement in the decision. A decision that affects the healthcare a person receives can be considered one that has a significant effect on an individual. For example, assigning clinical trial subjects to receive an intervention or placebo based solely upon each subject's diagnostic data, where the assignment is done without any meaningful input from a physician or the research team, could be regulated by GDPR.
However, GDPR does allow solely automated processing that could significantly affect a Data Subject where the Data Subject explicitly consents to the activity. Thus, where the research involves assignment to various treatments based upon Personal Data alone, the researcher must obtain the explicit consent of the Data Subject. Where the decision will use special categories of Personal Data, the Data Subject must also explicitly consent to the uses of such data for this purpose.
Finally, the Data Subject must also be informed of how the decision is made (i.e., the logic involved), the potential consequences of the decision, the right to obtain human involvement in the decision, and to challenge the decision, if the research allows.
GDPR Resources
- Consent template language (In development)
- GDPR Privacy Statement (In development)
- OHRP Compilation of GDPR Guidances
- GDPR Regulations
Related Policies
Countries outside of the EEA may also have similar data protection requirements, or are in the process of developing similar requirements. For example:
- Protection of Personal Information Act (POPIA) – South Africa
- Brazilian General Data Protection Law (LGPD) – Brazil
- Data Protection Act, 2019 – Kenya
Research projects subject to similar data protection requirements may be asked to include GDPR-like informed consent language.