Will the GDPR change the approach to scientific
By Dr Agnieszka Chidlow, Birmingham Business School, The University of Birmingham
Since 25 May 2018, the European Union (EU) Parliament and Council enforced the General Data Protection Regulation (GDPR) as the primary law regulating how companies protect EU citizen’s personal data. Any organisations that are not compliant will face heavy fines. But what does the GDPR mean for scientific and statistical research?
It is worth noting that, the Regulation treats the processing of personal data for scientific and statistical research separately, for example:
1) For scientific research it points out that “the processing of personal data for scientific research purposes should be interpreted in a broad manner including for example technological development and demonstration, fundamental research, applied research and privately funded research (...) To meet the specificities of processing personal data for scientific research purposes, specific conditions should apply in particular as regards the publication or otherwise disclosure of personal data in the context of scientific research purposes (Recital 159, p.30)”. Even though not explicitly stated, these “specific conditions” may refer to ethical standards for scientific research (Recital 33) as well as all listed safeguards.
2) For statistical research it indicates that “where personal data are processed for statistical purposes the Union or Member State law should, within the limits of the Regulation, determine statistical content, control of access, specifications for the processing of personal data for statistical purposes and appropriate measures to safeguard the rights and freedoms of the data subject and for ensuring statistical confidentiality. Statistical purposes mean any operation of collection and the processing of personal data necessary for statistical surveys or for the production of statistical results. Those statistical results may further be used for different purposes, including a scientific research purpose. The statistical purpose implies that the result of processing for statistical purposes is not personal data, but aggregate data, and that this result or the personal data are not used in support of measures or decisions regarding any particular natural person (Recital 162, p.30)”.
Even though the GDPR creates very strict obligations for processing and collecting personal data for scientific and statistical research, it offers some exemptions as part of its mandate to enable a Digital Single Market across the EU. More specifically, by allowing researchers to process data beyond the purpose for which it was first collected, the Regulation exempts research from the principle of storage and purpose limitation. What is more, in limited circumstances, it also allows researchers to process sensitive data without a consent as well as to transfer personal data to third countries that do not provide an adequate level of protection.
However, it is rather unclear as to how exactly such exemptions will extend. But what is clear is the fact that the GDPR aims to encourage innovation as long as researchers implement the appropriate safeguards, as stated in Article 89 (page 84) of the Data Protection Act.