October 6, 2017, by Stuart Moran
An Introduction to the General Data Protection Regulation for Research
The Digital Research Team are supporting the university’s preparations for the impending introduction of the General Data Protection Regulation. In this blog post, we introduce a summary of the main principles of the regulation, touch on some of the considerations for research and outline the ways in which the university is making preparations.
1. What is GDPR?
The General Data Protection Regulation (GDPR) is set to replace the current Data Protection Directive (DPD) 95/46/EC and will be enforceable from 25th May 2018. The GDPR maintains the key data protection principles of DPD, but includes many changes that simplify and unify the regulatory environment, while offering more transparency and control to EU citizens over their personal data. The following are some of the key points:
1.1 Personal Data and Roles
Personal data is any information relating to an individual that can be used to directly or indirectly identify them. This can be in reference to a name, identification number, location data, online identifier (including IP addresses, cookies etc…) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. Critically, there is no distinction between personal data in private, public or work contexts.
Within GDPR, there are three main types of role/entity to consider:
- A Data Controller: determines the purposes and means of the processing of personal data.
- A Data Processor: processes the data on behalf of the controller.
- A Data Subject: refers to the person the identifiable data relates to.
Processing in this context means anything that is done to, or with, personal data (including: collecting, storing or deleting). The implications of this are that GDPR applies when anything involves or affects personal data on EU citizens.
1.2 Consent and Rights
The definition of consent has been refined in GDPR as: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. This means there must be no doubt about the purpose or means of processing of personal data, including situations where there are multiple processing activities or purposes. Furthermore, there must be a positive indication of agreement from a data subject, and pre-selected tick boxes or data subject inaction / silence will not suffice.
Data subjects also have expanded rights as a part of GDPR in terms of data Access and Erasure. They can seek confirmation from a data controller if they hold their personal data, who has access to it, how it is accessed, where it is processed and for what purpose. In certain circumstances, data subjects also have the right to request the controller erase their personal data, and even halt third parties from processing the data. They may also request a free digital copy of the information being held.
1.3 Breaches and Penalties
A data breach is where a breach of security leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. The supervisory authority (the Information Commissioner’s Office in the UK) must be notified within 72 hours if the personal data breach is likely to result in a risk to the rights and freedoms of individuals.
The maximum fine for a breaching the GDPR, is 4% of annual global turnover or €20 Million (whichever is greater). The fines are tiered, meaning an entity can be fined 2% for not having their records in order, not notifying the supervising authority and data subject about a breach, or not conducting an impact assessment.
1.4 Demonstrating Compliance
Data Controllers need to demonstrate compliance with the GDPR by maintaining records of data processing activities and their location, with information on the categories of data and where it is stored. Other technical and organisational measures to be demonstrated include the appointment of a Data Protection Officer, conducting privacy impact assessments, and implementation of data policies, audits, pseudonymisation and minimisation.
2. Considerations for Research
A detailed article outlining the main considerations and implications for scientific research can be found here: https://iapp.org/news/a/how-gdpr-changes-the-rules-for-research/. Much of the processes and procedures put in place for the DPD will continue to be applicable for the GDPR. That said, there are likely to be some required amendments. The following highlights some of the main points:
2.1 Consent and Notification
In order to process personal data, a lawful basis for processing needs to be identified and communicated to the data subject by way of a privacy notice. Articles 13 and 14 of the GDPR outline the requirements of a privacy notice both when personal data is collected form the data subject (Art. 13) and when personal data were not obtained from the data subject (Art.14). The requirements include notifying the data subject of the purposes for which the data is collected; the legal basis for the processing; the categories of personal data being processed; details of transfers to third parties and safeguards; the applicable retention period and the right to withdraw consent, where relevant.
Fulfilling these requirements can be difficult for some research as it is often not possible to fully identify the purpose of the data processing at the time of collection. For example, when working with Big Data and data mining there are a wide range of unknown insights that can be drawn. This is accounted for in GDPR by permitting further processing where it is compatible with the original stated purpose.
One way a data controller can take suitable technical and organisational measures to comply with the GDPR is through pseudonymisation. This processes personal data in a way such that it can no longer be associated with an individual without additional information; for example, the use of key-coding and encryption. Truly anonymous data by contrast falls outside the scope of the regulation. Note, even if a researcher no longer has the ability to re-identify data, the data is still regulated under GDPR if it could be re-identified with reasonable effort
2.3 Data Transfer and Profiling
The GDPR prohibits the transfer of data outside of the EU other than in compliance with the conditions for transfer set out in Chapter V of the GDPR. The organisation receiving personal data must ensure that adequate safeguards are in place, as detailed by the GDPR. It will be possible to share personal data in jurisdictions that do not have adequate protection only if there is a legitimate basis, it is not a repetitive exchange, involves a limited number of data subjects, the data subjects are informed of the transfer and the relevant supervisory authority (the ICO) is informed.
Profiling is any form of automated processing of personal data to analyse or predict aspects concerning an individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. The GDPR prohibits data controllers from subjecting a data subject to a decision based solely on automated processing of sensitive data, except in limited circumstances. This could be problematic for researchers working in this space.
3. What preparations are being made?
The university is actively making preparations for the introduction of the GDPR, including the formation of a working group to actively make assessments across all departments in the university, with the intent of demonstrating compliance. A sub-working group has also been formed with members of the University Research Ethics Committee to examine how GDPR will affect research and ensure the research community’s requirements are met. The group’s activities will include:
- Assessing data protection readiness and mitigate security
- Reviewing and updating existing ethics policy and procedures
- Identify and classify personal research data held at the University
A series of awareness raising activities, including dedicated training sessions, will be taking place from Autumn 2017.
- Further Reading and Sources
GDPR Summary: http://www.eugdpr.org/
GDPR Regulation: https://gdpr-info.eu/
GDPR for research: https://iapp.org/news/a/how-gdpr-changes-the-rules-for-research/