The impact of GDPR on research

The General Data Protection Regulation (GDPR) came into effect across the European Union in 2018, replacing the Data Protection Directive 95/46/EC. The legislation outlines new laws regarding how organisations handle the personal data of EU citizens, regardless of where the data is being held. In summary, the laws demand that data processing is lawful, fair and transparent.

If the regulations are broken, swift fines ensue, as Google discovered when they were fined €50m for breaching the new rules, in the first major case since the laws were passed. They failed to obtain sufficient consent from users when processing their data for the purpose of personalised advertising. GDPR gives priority to personal privacy in many instances, but the aim is to encourage digital innovation so long as the appropriate safeguards are in place. There are certain exceptions made for research, although the term “research” isn’t well defined. For example, it may extend to the data analytics conducted by private organisations too.

Early drafts of GDPR posed problems for the scientific community. One particular issue is around consent in research, which would have required researchers to get renewed consent to reuse data for a different study. The scientists met with the policymakers and this was rectified in the final draft, but medical research remains vulnerable to unintended consequences of the new law. For example, daily decisions about handling data have to be made by each individual institution’s legal team, and they are likely to err on the side of caution, potentially stifling research.

Daily decisions about handling data have to be made by each individual institution’s legal team, and they are likely to err on the side of caution, potentially stifling research

There are other outstanding issues too, which are caused by the fact that on several points, GDPR provides a moderate level of autonomy for each country within the EU to implement exemptions with respect to scientific research. In Ireland for instance, regulations signed into law by Minister for Health Simon Harris allow research to be carried out using people’s personal data without their explicit consent under certain circumstances. This lack of harmony on some points across the continent could prove problematic when it comes to sharing data between collaborators across borders within the EU.

Barriers may arise further afield, too. Cooperation in the academic field with China “offers unique opportunities but also risks when it comes to handling of data, specifically personal research data,” said Professor Henk Kummeling, Utrecht University, at a seminar on cooperation between Europe and China. The US secretary of commerce also voiced concerns around GDPR, saying that “GDPR creates serious, unclear legal obligations for both private and public sector entities, including the US government. We do not have a clear understanding of what is required to comply. That could disrupt transatlantic cooperation on financial regulation, medical research, emergency management coordination, and important commerce.”

A biobank is a repository that stores biological samples for use in research, and over the last two decades they have become increasingly important scientific tools, lying at the heart of several types of contemporary research like genomics and personalised medicine. Biobanks give researchers access to research-ready, high-quality samples of blood, tissue, and fluids together with associated clinical data for a large number of people, which can help identify biomarkers for rare genetic disorders. Such studies were not possible prior to the advent of biobanks, and they have led scientific breakthroughs and new treatments. Understandably though, they raise legitimate questions about privacy and medical ethics. GDPR specifically brings some of these concerns to a point. Ethics committees and institutional review boards provided guidance in the past for how biobanks operate but such processes are no longer sufficient. Instead, a data protection officer has to be appointed to oversee the adherence to the new laws.

GPDR could disrupt transatlantic co-operation on financial regulation, medical research, emergency management co-ordination, and important commerce

The legislation also requires that data for scientific research is “pseudonymised” as early as possible. In contrast with being entirely anonymised, pseudonymisation is the processing of personal data so that it can no longer be attributed to a specific data subject without the use of additional information, which is kept separately. Further, data remains personal data even when it has been pseudonymised and has to be treated as such.

Generally, the attitude of researchers towards GDPR is predominantly positive, and awareness levels are high. Many of the obligations imposed by GDPR are not new to institutions conducting clinical research, because this sector has long been subject to strict data security regulations all around the world. For the most part, GDPR requirements reflect current best practices in research, and therefore should not have a significant impact on how researchers operate. Nevertheless, precisely how activity within science and medicine will be impacted by GDPR is not clear, and this is particularly the case for organisations operational within the EU but with their headquarters outside it.

The EU asserted its commitment to protecting the fundamental rights of individuals relating to privacy and data protection by introducing GDPR, which strongly protects health and genetic information. These types of data lie at the heart of medical research, so organisations conducting clinical trials must re-evaluate their procedures around consent, and any secondary processing of data must be considered carefully in light of the legislation. First and foremost, the legal terminology must be understood to ensure its proper dissemination and application. It is important to protect the personal data of individuals, and also to ensure data can be used where appropriate to support necessary research. This is the line that must be walked going forward.