Applying GDPR in research

If personal information about people is collected or used in research, then the General Data Protection Regulation (GDPR) applies, if:

  • a researcher based in the EU collects personal data about a participant anywhere in the world
  • a researcher outside the EU collects personal data on EU citizens

Information on the principles, requirements and definitions of the GDPR can be read here.

The GDPR makes provisions for processing personal data for research and archiving purposes as long as certain safeguards are in place. The safeguards include technical and organisational measures, data minimisation and pseudonymisation.

Further processing of personal data for the purposes of archiving, scientific or historical research purposes and statistical purposes is not considered to be incompatible with the initial purposes of data collection, even when this purpose has not been expressly mentioned earlier. Also, in research personal data may be stored for longer periods.

We provide here practical guidance, examples and question/answers on how to apply GDPR in research.

Consent is commonly used for ethical reasons in research with human participants, for example to ask participants to participate voluntarily in the research, explaining what the research will involve, which data will be collected and how these data will be used.

Consent can also be used as a legal basis for the processing of personal data. It is important to distinguish consent for the processing of personal information from other consent processes or requirements. One way to achieve this in practice is for researchers to indicate clearly in a consent form where the participant’s consent is being asked for processing their personal data and where consent is being asked for taking part in the research, for use of the collected information, etc. Be specific and granular so that you get separate consent for separate things. Our model consent form addresses this.

Under GDPR, consent needs to be freely given, informed, unambiguous, specific (granular) and a clear affirmative action. Consent cannot be inferred from silence, from pre-ticked boxes or from inactivity. Consent forms need to be in easy language.

Consent for processing personal data needs to be documented. An obvious way to do this is by using written consent forns. But that may not always be possible in research. Verbal consent discussions and agreements can be audio-recorded if the participants agree. Or else, the consent process and wording used can be written out in detail.

In cases where researchers are collecting and processing special categories of personal data, explicit consent can be used as additional condition to do this. Explicit consent means that the person must give an express statement of consent, for instance in a written statement.

Step-by-step
Q&A

Back to top  

We expect to run as normal a service as possible during this COVID-19 (Coronavirus) emergency. Please visit our COVID-19 page for the latest information.

DATA CATALOGUE