New Rules for Research? Impact of EU Data Protection Reforms

Dr Michelle Goddard, Director of Policy & Communication EFAMRO Directly applicable without the need for national legislation, the General Data Protection Regulation (GDPR) will come into force in all of the 28 Member States of the European Union on 25 May 2016, heralding a seismic change in the regulatory landscape for data protection. [1]  The new legislation which will be enforced from May 2018 gives EU residents greater control of their personal data through:

• new rights such as the right to data portability (to move their data to a new provider) and the right to erasure of information in the public domain (known as the right to be forgotten)
• strengthened existing rights including enhanced information rights requiring organisations to provide clearer detailed information and promote all data protection rights to individuals.

But what does this mean for researchers in the private sector? In this brief blog posting I’ll provide an overview of the GDPR and the likely impact of the reforms on research.

Accountable research businesses

Delivery of insights to businesses often involves analysis of “personal data”, that on its own or together with other information can be used to identify living identifiable individuals.  The boundaries of the type of personal data captured by data protection legislation has been broadened so that online identifiers such as IP addresses, cookies and digital fingerprinting and location data that could identify individuals are more squarely captured along with standard identifiers such as names and addresses.   The GDPR also restricts automated processing of profiling activities carried out by automated means but demographic segmentation techniques used by researchers are unlikely to fall within this as these will not have a significant or legal effect on individuals. Organisations must enshrine “privacy by design and by default” using measures such as data minimisation as a standard approach to data collection and use. Although no longer be required to register with the national data protection authority (DPA), organisations now have more onerous accountability obligations to maintain extensive records on data processing activities. Added to this is a risk based approach with the:

• appropriate use of privacy impact assessments for riskier processing activities
• mandatory notification of risky data breaches to the DPA (and to affected data subjects where there is a high risk the breach is likely to cause harm)
• appointment of a data protection officer if the organisation is involved in regular and systematic monitoring or processing of sensitive personal data on a large scale.

This risk based approach will need to be embedded into the culture of organisations such as research agencies and data analytics firms who process personal data as a core activity. Core principles apply to research projects (with slight modifications) The rules have clearly changed and in many instances tightened but recognising the nature and value of research some concessions have also been granted. These allow research data to be stored for longer periods and to be “repurposed” i.e. used for additional research purposes not initially identified.  Researchers working with personal data sets can also restrict the right of individuals to have their data erased (where this may impact on the integrity of the research) and their right to object (if necessary for public interest reasons). Overall the legal grounds for processing personal data under the GDPR reflect the existing position and informed consent will continue to be key. Consent must be specific and evidenced by clear affirmative action with explicit consent is required from individual to process sensitive data such as health, biometric or ethnicity data. All information notices including privacy policies and research consent forms must be written in plain and intelligible language (and consent must be as easy to withdraw as it is to give). Critically, as the GDPR recognises that it may sometimes be unrealistic to require scientists to list all purposes in consent form at time data collected, flexibility is given to researchers to get a broad consent for research purposes. Data for research purposes can also be processed by relying on the “legitimate interests of the data controller” so that if for example you are doing research for a retailer using their customer database it could be reasonably expected that research would be carried out and it can it be done without consent. This is a balancing act and only applies if it does not override the rights of individuals. Pseudonymised data is the new default for research projects Previous studies have highlighted the ease of re-identifying individuals from three indirect identifiers. Perhaps reflecting the difficulties of pure anonymisation of personal data the GDPR creates a new category of personal data known as “pseudonymised data”. This covers data that has had the personal identifiers removed and kept separately (such as coded data with ID numbers) but in such a way that it can still be put back together. There are several benefits to pseudonymising data. Using it is an important safeguard for research and mitigates the risks of data breaches. However pseudonymisation is an art not a science and as techniques will evolve with technological developments regulatory guidance will need to do the same. Special national regimes carved out for scientific, statistical and historical research Regimes has also been carved out for “scientific”, “statistical” and “historical” research offering flexibility to permit continued innovation and development of research projects.  However this is at a Member States discretion, and requires separate national or EU law for introduction, which may mean there is some inconsistency in the position across the EU. If implemented by a Member State, this “research exemption” can be used where it is impossible to conduct research otherwise. It provides a dispensation from data subject rights such as rights to access; rectification of inaccurate data; restriction of processing and right to object including processing for research purposes. To take advantage of this the research must be done in line with recognised ethical research standards and emphasis is still placed on implementation of proper technical and organisational safeguards such as data minimisation and pseudonymisation. The compliance framework also gives a clear role for codes of conduct to support effective implementation of safeguards. Private sector researchers should be able to take advantage of the “scientific research” exemption which is widely defined in the introductory text of the GDPR (the recitals) explicitly stating that it should be interpreted in a broad manner and including privately funded research. The history of amendments to the data protection text suggests that it is designed to cover market research and indeed prior practice in some EU Member States indicates that it should be accepted as such but doubts have been raised by some on this.

What’s next?

Member States need to take action to introduce the research exemption into national law in order to facilitate a consistent, workable approach for research projects. Guidance issued over the coming months by national data protection authorities and the group of European regulators will also be critical in ensuring that the reforms are implemented, interpreted and enforced consistently. The significant penalties for non-compliance with fines of up to 4% of worldwide turnover or €20 million mean that practical and legal certainty for businesses must be prioritised and EFAMRO will continue to work with national associations and with ESOMAR to ensure that the rules are sensibly implemented and understood. A lot more to do in this area, but at least now the content is clear and the timing narrowed down.  Let the preparations begin!   [1] See Final Text of the GDPR http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf; http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf