What is the GDPR?
The General Data Protection Regulation (GDPR) applies to all individuals, organizations with European Economic Area (“EEA”)-based operations and certain non-EEA organizations that process personal data of individuals in the EEA. Of note, the EEA includes the 28 states of the European Union and four additional countries: Iceland, Liechtenstein, Norway and Switzerland.
What is personal data?
Under the GDPR, “personal data” refers to any information that relates to an identified or identifiable natural person (i.e., an individual, not a company or other legal entity), otherwise known as a “data subject.” Examples of “personal data” include a person’s name, email address, government-issued identification, or other unique identifier such as an IP address or cookie number, and personal characteristics, including photographs.
The GDPR highlights some “special categories” of personal data, which merit a higher level of protection due to their sensitive nature and consequent risk for greater privacy harm. This includes information about a data subject’s health, genetics, race or ethnic origin, biometrics for identification purposes, sex life or sexual orientation, political opinions, religious or philosophical beliefs, or trade union membership. Although criminal convictions and records are not considered “special categories” of personal data, this information is subject to amplified protections under the GDPR.
How does the GDPR impact my research?
If you are collecting or obtaining “personal data” from participants residing in the EEA your project may be subject to the GDPR. To learn how GDPR may impact certain research activities please review the following information below regarding types of data and how GDPR applies.
- GDPR and Coded Data
Of significance to the research community, GDPR considers “pseudonymized data” (e.g., coded data) to be “personal data” even where one lacks access to the key-code/coding system/crosswalk required to link data to an individual data subject. This is in stark contrast to US regulation protecting human subjects.
For research that involves obtaining information protected by the European Union (EU) General Data Protection Regulation (GDPR), PIs must comply with the applicable data protection obligations imposed by the GDPR. If the data are being received for secondary research, the pre-approved model contractual clauses should be included in the data use agreement (DUA) with the entity that is providing the data. Investigators should submit DUAs through the Agreements module at https://dua.harvard.edu/ for processing. Note that no data/specimens may be obtained from the EEA until the appropriate agreements have been secured.
- GDPR and Anonymized Data
The GDPR does not apply to data that have been anonymized. Under the GDPR, however, in order for data to be anonymized, there can be no key-code in existence to re-identify the data. For example, if Harvard serves as the sponsor of a research study with a site located in the EEA and receives only coded data from the EEA site, such data from the EEA site remain “personal data” in the hands of Harvard investigators. This is the case even where Harvard investigators have no access to the key-code/coding system/crosswalk required to link data to an individual data subject.
- GDPR and Prospective Data Collection
For research that involves collecting “personal data” from participants residing in the EEA, GDPR compliant consent documents must be implemented. Template consent documents with required GDPR language can be found in the ESTR Library.
Need Help? Resources at Harvard
- The Harvard University GDPR Working Group has developed a website with some background and guidance on Harvard’s response to the GDPR which is behind Harvard Key login. Check it frequently as information continues to be added. Additionally, visit the EU GDPR Portal.
- The Office for Human Research Protections (OHRP) has posted a “Compilation of European GDPR Guidances” which lists, by country, the data protection authorities of all EEA countries that fall under the GDPR. For each country, the compilation also provides the links to any general GDPR guidance, as well as specific guidance on the topics of Research, Legal Basis, Consent, and International Data Transfer.
- If you have any general questions about GDPR or wish to speak to someone regarding whether your research activities requires GDPR compliance, contact your department-assigned IRB Review Specialist.
- For assistance ensuring GDPR compliance (e.g., submission assistance; consent form editing, etc.), submit a service request to the Quality Improvement Program.