What is the GDPR?
The GDPR, effective May 25, 2018, is a far-reaching regulation applicable to organizations with European Economic Area (“EEA”) based operations and certain non-EEA organizations that process personal data of individuals in the EEA. The EEA includes the 28 states of the European Union and four additional countries: Iceland, Liechtenstein, Norway and Switzerland. The GDPR aims to protect individuals’ fundamental rights to data protection and the free flow of personal data.
What is considered “Personal Data”?
For purposes of the GDPR, personal data refer to any information that relates to an identified or identifiable natural person (i.e., an individual, not a company or other legal entity), otherwise known as a “data subject.” Personal data may include data that could be attributed to a data subject through the use of additional data, even if that data come from a third-party. Examples of personal data include a person’s name, e-mail address, government issued identifier, or other unique identifier such as an IP address or cookie number, and personal characteristics, including photographs.
There is a subset of personal data, referred to in the GDPR as “special categories” of personal data, which merit a higher level of protection due to their sensitive nature and associated risk for greater privacy harm. Special categories of personal data include several items that are often collected as part of a research study, including information about a data subject’s health; genetics; race or ethnic origin; biometrics for identification purposes; sex life or sexual orientation; political opinions, religious or philosophical beliefs; or trade union membership. Criminal convictions and records, while not among the “special categories” of personal data, also receive heightened protection under the GDPR.
How does the GDPR affect research at Harvard?
The GDPR may be applicable to a broad range of research activities. For example, the GDPR may apply when Harvard acts as a sponsor of research occurring in EEA member states; when Harvard acts as a core data facility or lead site for a multi-national research study with EEA-based sites; and when Harvard conducts research in the U.S. in which participant data are transmitted to sponsors, servers, or data core facilities in the EEA. Research studies that collect data online from EEA residents may also be subject to the GDPR.
What if I am not collecting personal data from individuals in the EEA?
In short, GDPR would not apply. Research studies may not involve the receipt of personal data because the data received may not relate to an identified or identifiable natural person. For example, studies that do not collect information that is linked to a subject’s identity, such as anonymous surveys in which the identities of survey subjects cannot be traced, would not involve the receipt of personal data.
What if I am only receiving coded data?
The GDPR considers key-coded data to be “personal data” and refers to key-coded data as “pseudonymized data,”. This is in contrast to the position under many U.S. research and privacy laws, such as the Common Rule and HIPAA; pseudonymized data are regarded as identifiable personal data and therefore remain subject to the GDPR’s protections, even when in the hands of a person who lacks the key needed to link the data to the data subject’s identity.
Is it possible to de-identify data so that GDPR does not apply?
The GDPR does not apply to data that have been “anonymized.” However, for data to be anonymized, the GDPR requires that there be no key to re-identify the data. For example, if Harvard serves as the sponsor of a research study with a site located in the EEA and receives only key-coded information from the EEA site, the key-coded data from the EEA site remain “personal data” in the hands of Harvard. This is the case even if Harvard has no access to the key needed to re-identify the coded data. Unlike in HIPAA, there is no “safe harbor” under the GDPR to which data can be rendered de-identified by removing a specific list of identifiers. Rather, anonymization is judged on a facts and circumstances basis taking into account all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. Given this definition, anonymization is an extremely high standard that is difficult to meet in practice.
I have heard that subjects have additional rights under the GDPR. Is that true?
Yes, it is. The GDPR creates a range of rights that are available to research subjects under certain situations. Some of the rights under the GDPR include the right that research subjects can obtain copies of all of their personal data and have the right to withdraw consent to further processing of their personal data. Upon withdrawal of consent for research, one can no longer retain the personal data for the purpose of research, including in pseudonymized (key-coded) form. However, one may retain the data if necessary for legal compliance (i.e., for adverse event reporting). Also, the researcher could continue to process the data for research purposes if the data have been fully anonymized through removal of all identifiers associated with the data, including destruction of the key linking the subject’s data to his or her identity (Please see previous note on “anonymized” data).
How is the HUA IRB helping the research community be compliant with the GDPR?
- GDPR-compliant informed consent language - When research is to be conducted on personal data of research subjects who are located in the EEA, the HUA IRB has included GDPR language in each of the template consent materials: adult consent, a parent/guardian permission for research involving children as research subjects, child assent form, and exempt study consent script.
- Notifying researchers if their study may be subject to GDPR – We have been flagging existing studies in our system and placing a note that is sent to the research team. For new IRB submissions, we are giving a heads-up to the researcher that GDPR might apply.
- The Harvard University GDPR Working Group has developed a website with some background and guidance on Harvard’s response to the GDPR which is behind Harvard Key login. Check it frequently as information continues to be added.
- Visit the EU GDPR Portal.
- The Office for Human Research Protections has developed a new resource for IRBs, researchers, and sponsors that are involved in human subjects research in Europe. Titled “Compilation of European GDPR Guidances,” the document lists the data protection authorities of all European countries that fall under the new E.U. General Data Protection Directive (GDPR). For each country, the compilation also provides the links to any general GDPR guidances, as well as specific guidances on the topics of Research, Legal Basis, Consent, and International Data Transfer. The new Compilation is available here: https://www.hhs.gov/ohrp/international/index.html
- Questions? We’re here to help - If you have any general questions about GDPR or wish to speak to someone regarding whether your research activities require GDPR compliance, please contact your department-assigned IRB Reviewer.