Key lessons on GDPR and scientific research
The new world economy relies on data-driven technologies and systems. Data is knowledge and innovation, ensuring scientific progress. There is a strong debate on whether the new General Data Protection Regulation (GDPR) constitutes an enabler or hindrance for scientific research. Although the focus has been mainly on health research and data protection requirements, scientific research is broadly understood, including technological development and demonstration, fundamental research, applied research and privately funded research (Recital 159 GDPR).
If you are involved in any kind of scientific research, it is very likely that you are affected by the GDPR provisions. In this article, we look at the impact of the GDPR on scientific research based on a report prepared for the European Parliamentary Research Service. Based on these key findings and our experience in this field, we present the main benefits and challenges of the GDPR regarding research, before concluding with a GDPR preparedness plan for organisations involved in research.
In general, the GDPR is considered a further safeguard and enabler for scientific research mainly due to:
- High security standards ensuring public trust and reducing personal data breaches
- Increased cross-national harmonisation of data protection, enhancing cross-national research collaborations
- Enhanced obligations for data controllers and processors, promoting higher research standards and the voluntary participation of data subjects in research
- Focus on the responsibilities of the controller and creation of a self-regulation system
- Implied recognition of broad consent (Recital 33 GDPR).
Nonetheless, the GDPR provisions have been received with scepticism by research-associated stakeholders, mainly for the following reasons:
- Excessive burden on researchers, which could lead to delays in project development
- Dynamic consent is not compatible with consent requirements under the GDPR
- Pseudonymised data may trump epidemiologic research
- Lack of clarity regarding the processing of children’s data
- Bureaucratic burden and extra need for human, administrative and financial resources and data protection expertise
- Lack of guidance or contradicting guidance issued by various supervisory authorities, especially in relation to best practices of anonymisation and pseudonymisation
- Ambiguity regarding the applicable lawful grounds and the role of ‘public interest’
- Specific provisions and challenges in certain areas of research, including genomic research
- Need for specifying the appropriate measures and safeguards for data security
- Complex legal issues in relation to further processing for research purposes.
Compliance and preparedness plan
Similar to scientific research, the GDPR is not a piece of legislation to be assessed independently of its intent, consequences and benefits concerning individuals and society at large. In order to trigger the GDPR research flexibilities and reap the benefits, the study suggests that organisations should design and implement the following measures:
- Technical solutions – The creation of fundamental digital infrastructure could support data-sharing in the scientific domain. For example, ‘‘robust data management practices, researcher-friendly software interfaces for GDPR compliance, and rendering algorithms used in research more amenable to ex post and ex ante inspection’’ (see report, page 11) are necessary tools to comply with the GDPR and ensure that the right to data protection of research participants is respected.
- Epistemic solutions – The GDPR further promotes data protection awareness. Awareness about the new data protection landscape and the relevant obligations of each actor (e.g. controllers, processors, funders, laboratories etc) is a salient element for GDPR compliance. In addition to the general awareness and media attention, organisations should further support this awareness through specific measures. These could include the ‘‘organisation of educational activities, specific training sessions and increasing the researchers’ familiarity with best practices for data collection and handling’’(see report, page 11).
- Governance-related solutions–Although Data Protection is only a piece of the puzzle, it interfaces with other fields and requires collaboration and governance mechanisms. These include creating decentralised and/or citizen-owned data sharing platforms, ‘‘setting up more accountable scientific governance frameworks, enhancing ethics review mechanisms and establishing data handling best practices’’ (see report, page 11). As part of your governance obligations, you should always check how the GDPR is applied in your jurisdiction and any further data protection obligations you may have. For example, in a previous piece, we advised about the implementation of the Irish Health Research Regulations complementing the Irish Data Protection Act 2018.
The GDPR does not intend to impede scientific research and data-driven products and services. Whether you conduct clinical trials, biomedical research, publicly funded, commercial, social science, marketing or customer experience research, you should bear in mind that the GDPR also regulates this activity and prescribes adherence to specific principles and provisions.
If you carry out scientific research and you have any questions regarding your obligations under the GDPR, please visit Trilateral Data Protection Officer page and do not hesitate to get in touch with our data protection advisors.