The General Data Protection Regulation (GDPR) is a data protection law that applies broadly to the processing of personal information of individuals by organizations established in the European Economic Area (EEA) (which includes countries in the European Union (EU) plus Iceland, Liechtenstein and Norway), regardless of where the processing takes place; and by organizations outside the EU/EEA, where those activities are related to offering of goods or services to individuals in the EU/EEA, or monitoring of behavior of individuals that takes place in the EU. Generally speaking, the regulation applies to all personally identifiable data that are collected, used, stored, or otherwise processed about covered individuals by any method, including electronic and paper records.
The GDPR relates to human subjects research by:
"Personal data" refers to any information that relates to an identified or identifiable natural person, i.e. an individual, not a company or organization. Under GDPR, the terms "identified" or "identifiable" cover a broader spectrum of information than how those terms are used in other research regulations, e.g. Common Rule and HIPAA. Examples of identifiable data under GDPR include names, email addresses, IP addresses, cookie numbers, voice or image recordings, dates unique to an individual, e.g. birthdates, appointment dates, and locations, e.g. physical address, GPS information. Other examples include combinations of information that may be used to identify an individual, such as combining information about a person's place of employment, amount of education, marital status, and place of birth.
Processing of personal data is only lawful under GDPR if one of a limited number of legal bases explicitly set forth in the law apply to the processing. In most cases, the legal basis for academic research will be the “legitimate interests” of the researcher. This requires a fact-specific balancing to ensure that the legitimate interests of the researcher in performing academic research are not overridden by the fundamental rights and freedoms of individuals, particularly if children are involved. Informed consent can also be a legal basis for processing of research data (see further discussion below).
The GDPR considers the following information to be “special categories” of data:
The processing of special categories of data is prohibited under GDPR unless a specific exception applies. In the research context, special categories of data may be processed for public health activities, scientific and historical research, statistical purposes, and matters of substantial public interest, in each case, to the extent such processing is based on EU or member state law.
In many cases, subjects’ explicit consent will be required to collect information from these special categories of data where no other exception applies. Consent should be given by a clear affirmative act establishing a freely given, specific, informed, and unambiguous indication of the subject’s agreement to processing of the special categories of data. This agreement could include signing a form, ticking a box on an Internet site, or providing verbal agreement. Silence, pre-ticked boxes, or inactivity would not constitute consent. Subjects must have the right to easily withdraw their consent at any time.
In addition, note that processing of personal data relating to criminal convictions and offenses is prohibited under the GDPR unless it is being carried out by a public authority or as authorized under EU or member state law.
If you are not relying on consent as the legal basis for the research (or as the exception to processing of special categories of data), then subjects need only to be notified, i.e., active consent is not required, of certain information, including:
If the subjects’ consent will be obtained (see discussion above), in addition to all of the information included in the notification (see list above), the consent information should include:
The GDPR notification/consent information should be presented separate from the research study consent form, i.e., GDPR information should not be integrated into the research consent form.
If the child subjects are competent to understand and act on their rights under GDPR, then they should be presented with the GDPR notification/consent. In this case, the children have the rights under GDPR, not the parents. The determination of whether the child subjects are competent may depend on the law of the EU/EEA state and on their age, maturity, status, or condition. The notification/consent language should be appropriate for the age and developing capacities of the children. Note that the GDPR notification/consent is separate from the research study consent/parental permission. For some studies, parents may be required to give parental permission for their child to participate in the study, but they would not be required to be notified of their child’s rights under GDPR.
If the child subjects are NOT competent to understand and act on their rights under GDPR, then their parents should also be provided with the GDPR notification/consent. In some cases, such as for studies involving very young, pre-literate children, only the parent must be provided with the GDPR notification/consent. If the researcher maintains an ongoing research relationship with the child subjects, e.g., multi-year, longitudinal research, then the researcher should provide the children with the GDPR notification/consent once they are able to understand the information.
If a subject contacts you about exercising their rights under GDPR, you should first verify their identity. If you have reasonable doubts concerning the identity of the individual making the request, you may request additional information to confirm their identity. After verifying their identity, you should attempt to accommodate the subjects’ request regarding their data. Generally, GDPR requires that requests be accommodated without undue delay and in any event within one month of receipt.
If you are unable to accommodate their request, e.g., because it may jeopardize the integrity of the study, notify the NYU UCAIHS and the NYU Data Protection Officer as soon as possible. Include the following information:
GDPR has strict rules regarding reports of data breaches. In some cases, NYU must report data breaches to EU GDPR supervisory authorities and/or affected individuals within 72 hours of discovery of the incident. If you discover a breach, immediately notify the NYU UCAIHS and the NYU Data Protection Officer. Include the following information:
The NYU UCAIHS and Data Protection Officer will assess the breach and notify you of any additional required actions, if applicable.
GDPR may apply if personally identifiable data is being collected through Internet sites from subjects while they are in the EU/EEA. If you are unsure whether subjects may be in the EU/EEA and if identifiable data will be collected, then it may be necessary to add a question to the beginning of the survey asking if subjects are in the EU/EEA. The EU/EEA subjects can then either be provided with the GDPR notification/consent or prohibited from completing the survey.
To avoid collecting identifiable data from Qualtrics, the Anonymize Response option must be selected. This option prevents Qualtrics from collecting Internet Protocol (IP) addresses, which are identifiers under GDPR.
Some data may be covered by GDPR as personal information but does not meet the definition of “human subjects” under IRB regulations. For instance, using publicly available, social media posts from the individuals in the EU would fall under GDPR, but would not fall under IRB regulations, because the data does not constitute “identifiable private information.”
Please contact the NYU Data Protection Officer – firstname.lastname@example.org – if your project will include information covered under GDPR but is not covered by IRB regulations.
If you have additional questions about GDPR, contact the NYU UCAIHS.