What is GDPR?
The General Data Protection Regulation (GDPR) is a European law that went into effect May 2, 2018 and establishes protections for privacy and security of “personal data” about individuals in the European Economic Area (EEA).
Please note that GDPR considers “coded date” to be “personal data” even where one lacks access to the key-code/coding system required to link data to an individual data subject. This is in contrast to US regulation protecting human subjects.
What countries are part of the EEA?
Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the UK.
Please note that the participant does not need to be an EEA resident for the GDPR to apply.
Under GDPR what is considered “Personal Data”?
Information that relates to an identified person. Examples are: name, email, IP address or cookie number, personal characteristics (this also includes photographs).
Additional protections are given to sensitive personal information such as race, political opinions, religious beliefs, genetic data etc.
Tips on how to comply with GDPR?
If the study can be completed using de-identified data that would be the best option. If you need to collect personal data collect the minimum amount of demographic/personal data necessary.
Be aware that online survey sites often collect IP addresses by default so make sure you set up your survey to collect only the information you need for the study.
If you are collecting identifiable data you need to have a plan on how you will remove the data if the participant requests this.
How to ensure consent process complies with GDPR?
The consent process needs to be active so for example, in an electronic survey the participant should click to consent to proceed with the survey. It must be an affirmative action.
You must maintain consent records for the participants. For example, if the participant is giving verbal consent you must maintain a log with the subject name or ID and the date and time consent was provided.
Consent forms must contain the following information:
- Who is collecting the information? (must include contact information of person(s) collecting the information)
- What information is being collected?
- How is the information collected?
- How will the information be used?
- How will information be stored and for how long?
- Who will data be shared with?
- How does a participant withdraw from the study? (The participant needs to be informed of their rights to request access, erasure, and/or object to the processing of the data.)