Apply Give
  • Apply Now
  • Request More Information
  • (434) 582-2000
  • Chat
  • Visit
  • Give
  • Academic Calendar
    • Academics & Degrees
    Admissions & Tuition
    Faith & Service
    Campus Life
    Athletics
    About Liberty
    Affiliated Websites

    The European Union (EU) and United Kingdom (UK) General Data Protection Regulations (GDPR)

    The European Union’s (EU) General Data Protection Regulation (GDPR) is a European privacy law that went into effect on May 25, 2018. It establishes protections for the privacy and security of “personal data” about individuals in the European Economic Area (EEA). EEA countries include the following:

    Austria Denmark Hungary Lithuania Portugal
    Belgium Estonia Iceland Luxembourg Romania
    Bulgaria Finland Ireland Malta Slovakia
    Croatia France Italy Netherlands Slovenia
    Republic of Cyprus Germany Latvia Norway Spain
    Czech Republic Greece Lichtenstein Poland Sweden

    Countries whose data protection is considered sufficient by the EU so additional protections are not required include the countries listed below:

    Andorra The Faroe Islands Israel Jersey Switzerland
    Argentina Guernsey The Isle of Man New Zealand Uruguay
    Canada        

    After Brexit, the United Kingdom (UK) kept the GDPR as part of UK law. Some UK-specific changes were made, but they pertain to matters like the amount of fines and currency used (i.e., pounds vs. euros) for violations.

    The United States (US) is not considered to have adequate data protection, so researchers collecting and transferring data on EU or UK residents to the US must fully comply with the GDPR.

    What is “Personal Data”?

    Under the GDPR, “personal data” refers to any information that relates to an identified or identifiable natural person (i.e., an individual, not a company or other legal entity), otherwise known as a “data subject.”

    Examples of personal data include a person’s name, email address, government-issued identification, or other unique identifier such as an IP address or cookie number, and personal characteristics, including photographs.

    Special categories of personal data

    The GDPR highlights some “special categories” of personal data that merit a higher level of protection due to their sensitive nature and risk of greater privacy harm.

    Special categories include information about a data subject’s health, genetics, race or ethnic origin, biometrics for identification purposes, sex life or sexual orientation, political opinions, religious or philosophical beliefs, or trade union membership.

    The GDPR and Coded Data

    Importantly, the GDPR considers “pseudonymized data” (e.g., data for which individuals’ names have been removed and replaced with fake names or numbers) to be personal data even when a researcher lacks access to the key/code list required to link data to an individual data subject. This is inconsistent with U.S. regulations protecting human subjects and, therefore, important for researchers to understand.

    The GDPR and Anonymized Data

    The GDPR does not apply to data that have been anonymized (e.g., contains no identifying information). Under the GDPR, for data to be anonymized, there can be no key/code list in existence to re-identify the data.

    The GDPR and De-identified Data

    De-identified data also are not subject to the GDPR provided the research team had no role in the collection of the data with identifiers in the first place and has no access to the identifiers going forward. A data use agreement may be applicable.

    What activities are subject to the GDPR?

    Activities involving identifiable information if personal data is being collected from one or more research participants physically located in the EEA or UK at the time of data collection. Of note, the participant does not need to be an EEA or UK resident.

    Activities involving the transfer of personal data collected under the GDPR from an EEA country or the UK to a non-EEA country/country outside the UK (like the U.S.).

    What activities are not subject to the GDPR?

    Activities involving the collection of identifiable personal data from individuals who are physically located within the U.S. at the time of data collection — even if the participant is an EEA or UK citizen — are not subject to the GDPR.

    How do I ensure that my study complies with the GDPR?

    • Collect only the absolute minimum personal/demographic data needed to complete the study. If your study can be completed using only de-identified data, then we strongly advise you to take this approach.
    • Many online survey sites collect personal information, including IP addresses, by default. Ensure that you set up your study to receive only the information you are seeking. To the extent possible, verify that any third-party website or app being used for data collection is GDPR-compliant.
    • Use an active (“opt-in”) informed consent. Under the GDPR, consent must be freely given, specific, informed, unambiguous, and explicit. A description of the data processing and transfer activities to be performed, if applicable, must be included in the informed consent document. Following an informed consent description, a “Click next to proceed to the survey” button or equivalent is sufficient for “active” consent for online data collection.
    • Ensure that your consent form complies with GDPR requirements (see below).
    • For activities in which identifiable data is collected, you must have an executable plan to remove data in the event a participant requests to have his/her data removed.

    How is the consent documentation and process affected by GDPR?

    The good news is that many of the consent requirements under the GDPR are consistent with those that you already implement as part of standard consent processes and documentation. Below are the GDPR requirements:

    • Consent records, including time and date of consent, must be maintained for each subject. In the case of verbal, online, or any other type of undocumented consent, the Principal Investigator is responsible for maintaining a consent log indicating each subject (either by name or study ID number) and the date and time that consent was provided.
    • Consent must be explicit. If the consent form or consent script serves multiple purposes (e.g., a consent form that is also the recruitment email), then the request for consent must be distinguishable.
    • Each subject has a right to withdraw consent at any time. Each subject must be informed of this right before giving consent. Withdrawal of consent must be as easy as giving consent.
    • Consent must be an affirmative action. This means that opt-out procedures are not permitted.
    • Consent information must be provided in clear and plain language in an intelligible and easily accessible format.
    • Consent must be freely given. Individuals in a position of authority cannot obtain consent, nor can consent be coerced. This means that faculty members or teachers cannot obtain consent from their students.
    • Consent forms must contain the following information:
      • The identity of the Principal Investigator
      • The purpose of data collection
      • The types of data collected, including a listing of special categories: Racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, processing of genetic data, biometric data used for unique identification, health data, and/or sex life or sexual orientation information
      • The right to withdraw from the research and the mechanism for withdrawal
      • Who will have access to the data
      • Information regarding automated processing of data for decision-making about the individual, including profiling
      • Information regarding data security, including storage and transfer of data
      • How long data will be stored (this can be indefinite)
      • Whether and under what conditions data may be used for future research, either related or unrelated to the purpose of the current study.

    Researchers planning to collect personal data from persons residing in the EU or UK must ensure that the information listed above is included on their consent form or use the GDPR consent form along with their consent form. Templates for all consent forms are provided on the Supporting Document Templates webpage.

    In the event of a data breach, notify the Institutional Review Board (IRB) immediately so that appropriate steps can be taken by the University.

    (With permission, the order and content of this page, with some exceptions, were reprinted from Brown University’s IRB GDPR web page.)

    Chat Live Chat Live Request Info Request Info Apply Now Apply Now Visit Liberty Visit Liberty