Michelle Goddard: Changing the framework for research? – Impact of the EU Data Protection Reforms
31 October 2016

The General Data Protection Regulation (GDPR) and the changes to the data protection regime make these interesting times for researchers working with personal datasets such as administrative and geo-demographic data.

Although the UK has decided to leave the EU, the Government has confirmed that it will be implementing the GDPR, which will come into force in the UK on 25 May 2018. The EU Regulation transforms the regulatory landscape for data protection with strengthened individual rights, a broader, deeper and more effective sanctions regime and greater harmonisation and consistency of laws across the EU.

In this brief blog posting I’ll provide an overview of the Regulation and some points of importance to UK researchers.

Enshrining strong individual rights and encouraging accountable businesses

Individuals are placed at the centre of the data ecosystem with greater control of their personal data. New rights such as the right to data portability (to move their data to a new provider) work alongside a strengthened information right requiring organisations to provide individuals with clearer detailed information and an ongoing obligation to promote all of their rights.

The boundaries of “personal data” that these rights attach to are also broader and now specifically include online identifiers such as IP addresses, cookies and digital fingerprinting and location data that could identify individuals. Genetic and biometric data has also been added to the category of special/sensitive data that require greater care in processing.

It is important to remember that the GDPR does not apply to anonymised data. Taking steps to anonymise data at an early step in the research cycle and to follow regulatory guidance to keep up to date with the limits of effective anonymisation in a digital environment is critical. Regulators do not look to the absolute impossibility of identification but will consider the likelihood of re-identification occurring. Alternatively pseudonymising or de-identifying data is also an important step in the research process as it will make compliance with the GDPR easier.

Core principles apply to research projects (with some permitted flexibilities)

Overall the legal grounds for processing personal data under the GDPR reflect the existing position and informed consent will continue to be key.

· Consent must be specific and evidenced by clear affirmative action with explicit consent is required from individual to process sensitive data such as health, biometric or ethnicity data.

· All information notices including privacy policies and research consent forms must be written in plain and intelligible language (and consent must be as easy to withdraw as it is to give).

· Critically, as the GDPR recognises that it may sometimes be unrealistic to require scientists to list all purposes in consent form at time data collected, flexibility is given to researchers to get a broad consent for research purposes.

Personal data for research purposes can also be processed by relying on the “legitimate interests of the data controller” so that if for example you are doing research for a retailer using their customer databaseit could be reasonably expected that research would be carried out. This is a balancing act and only applies if it does not override the rights of individuals.

Although the rules have changed and in many instances tightened the new regime can still work well for scientific and statistical research (including both academic and commercial research) especially where Member States introduce the greater national flexibility allowed under the GDPR.

The special research regime for scientific and statistical research means that

· research data can be stored for longer periods and be “repurposed” i.e. used for additional research purposes not initially identified

· right of individuals to have their data erased (where this may impact on the integrity of the research) and their right to object (if necessary for public interest reasons) can be restricted.

In order to benefit from this more flexible regime, researchers will need to put in place robust technical and organisational safeguards such as data minimisation, pseudonymisation and encryption and work within a strong ethical framework.

Profiling singled out for special attention

Profiling is dealt somewhat differently under the Regulation. Defined as automated processing which is used to evaluate personal aspects especially prediction or analysis of individual’s personal aspects such as location, movements, health, personal preferences, economic situation, performance at work and behaviour.

Individuals have a right to opt out of profiling for direct marketing purposes and importantly if a decision is made based on this that has significant legal or adverse effects then the individual has a right to opt out, to be given an explanation, to challenge it and to obtain human intervention. Segmentation exercises conducted by researchers are unlikely to fall within this category as these tools are not used to make decisions about individuals and do not generally have significant impacts.

Next steps for researchers?

A change in the compliance culture and use of “privacy by design and by default” with measures such as data minimisation must become the standard approach to data collection and use. Coupled with accountability obligations that require maintenance of extensive records on data processing activities is the need for researchers to adopt a risk based approach that includes the:

· appropriate use of privacy impact assessments for riskier processing activities

· establishment of processes for mandatory notification of risky data breaches to the data protection authority (and to affected data subjects where there is a high risk the breach is likely to cause harm)

· appointment of a data protection officer if the organisation is involved in regular and systematic monitoring or processing of sensitive personal data on a large scale.

All indications are that the UK will introduce the GDPR with the special research regime which should ensure that both scientific and statistical research projects undertaken in both the public and private sector can continue to be carried out once the appropriate safeguards are in place.

Dr Michelle Goddard, Director of Policy & Standards at MRS, is responsible for promoting and protecting MRS quality standards. A graduate of the London School of Economics and Political Science, she received her Ph.D. in Law from Osgoode Hall Law School, York University, Canada in 2011 and has a wealth of experience in consumer market regulation and research gained in a range of academic, policy and enforcement roles over the last 20 years.

Any views or opinions presented are solely those of the author and do not necessarily represent those of the MRS Census and Geodemographic Group unless otherwise specifically stated.