General Data Protection Regulation
New European Union General Data Protection Regulation (GDPR)
What is GDPR?
The General Data Protection Regulation (GDPR) is a European law that went into effect May 25, 2018 and established protections for privacy and security of personal data about individuals in European Economic Area (“EEA”)-based operations and certain non-EEA organizations that process personal data of individuals in the EEA. It applies to the collection and use of personal information:
- Through activities within the borders of EEA countries
- That is related to offering goods and services to EEA residents, or
- That involves monitoring the behavior or EEA residents.
Personal data is defined very broadly by this new regulation. Data privacy is a fundamental right and personal data processing is subject to certain principles, with additional specific rules for special categories of personal data.
Researchers need to consider the implications of GDPR and comply with these rules whenever applicable. Research is a special category in the GDPR regulation, and certain exceptions do apply. GDPR may have an impact on research in the U.S., if for example, the U.S. research uses personal data from individuals in the EU or if U.S. researchers collaborate with EU colleagues and share personal data across studies sites.
Two basic areas are most impacted by these regulations: the consent process and the need for enhanced data protections. GDPR creates a uniform guideline for using individuals’ personal data and establishes rights for data subjects, including requirements for obtaining informed consent to use their data and a new “right to be forgotten” that allows the deletion of personal data from data sets.
What countries are adopting GDPR?
The following countries making up the EEA are adopting GDPR:
Why does this affect me in the United States?
Personal data collected in, or transferred from, any of the above countries is subject to the GDPR. Failure to follow these regulations if they apply puts the University at risk of noncompliance, monetary fines, and reputational harm. Fines associated with noncompliance under the GDPR can be up to 20 million Euros or 4% of the University’s prior financial year worldwide annual revenue.
The New Protocol Submission xform has incorporated questions needed to assess whether GDPR may apply to a proposed study. If the study appears to be subject to GDPR, the IRB staff will refer the investigator to consult with ETSU legal to ensure compliance with GDPR. Refer to the guidance document below for additional information.