The General Data Protection Regulation (GDPR) is designed to protect the personal data of individuals who are located in the European Economic Area (EEA). Personal data is any data that can be used to identify an individual. The EEA includes The European Union (EU) plus the United Kingdom (UK) as well as Iceland, Lichtenstein, and Norway. GDPR is intended to be an overarching privacy regulation for all EU Member States and replaces prior EU privacy regulations. In contrast, the U.S. has no single data privacy law with an equally broad application; rather, U.S. privacy laws regulate certain sectors, such as health care (the Health Insurance Portability and Accountability Act (HIPAA)) and student records (the Family Education Rights and Privacy Act (FERPA)). GDPR also addresses the transfer of personal data outside the EEA.

GDPR expands privacy rights for individuals located in the EEA regardless of citizenship. Specifically, with respect to certain activities of U.S. organizations, it guarantees certain “fundamental rights” to individuals in the EEA. These include:

• Right to information: Data subjects have the right to be informed about the collection, processing and use of personal data;
• Right of access: Data subjects have the right to obtain copies of their personal data being processed;
• Right to rectification: Data subjects have the right to ensure correction of any inaccurate personal data about them;
• Right to erasure (“right to be forgotten”): Data subjects have the right to request erasure of their data;
• Right to restriction of processing: Data subjects have the right to restrict certain processing activities relating to their data;
• Right to data portability: Data subjects have the to right to receive personal data which they have provided and the right to have that personal data transferred to another party;
• Right to object: Data subjects have the right to object to the processing of their data; and
• Automated individual decision making, including profiling: Data subjects have the right to contest solely automated processing, or profiling, activities relating to their data.

GDPR impacts data pertaining to these individuals even when the data is located in other countries, regardless of the citizenship of the individuals. Specifically, GDPR establishes a framework for safeguarding how personal data is used, such as:

• Ensuring that the data is transferred, processed, stored and eventually disposed of using appropriate technical safeguards,
• Limiting the use/processing of the data to purposes that comply with GDPR requirements (e.g., managing the academic records of UC students studying in the EEA as part of Education Abroad),
• Requiring suppliers who access the data in the course of providing a service to agree to certain protections and safeguards of the personal data.

GDPR applies to organizations located within the EEA that process personal data about any person anywhere in the world. It also applies to organizations outside of the EEA if they offer goods or services to, or monitor the behavior of, EEA data subjects, regardless of the organization’s location or whether the data subject is an EEA citizen. With respect to UCR research activies, GDPR requirements apply when:

1. A UCR researcher monitors or performs research on individuals in the EEA (e.g., research on the behavior of EEA citizens in virtual world environments),
2. A UCR researcher engages in research using personal data while that researcher is located in Europe (e.g., collaborating with a European research center in Europe), or
3. Offering goods or services to individuals in the EEA (e.g., providing gift cards for participation in research or interviewing and hiring research fellows from the EEA).

According to GDPR, ‘personal data’ means ANY information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified by either:

1. Directly identifying information (e.g., name, surname, phone numbers, etc.), or
2. Pseudonymous* data (i.e., coded data) or non-directly identifying information (e.g., behaviors or beliefs), which does not allow the direct identification of users but allows the singling out of individual behaviors (e.g., to have a webpage serve a customized ad).

Personal data is more broadly defined under GDPR than the types of data protected by any one U.S. federal or state privacy law. Thus, if you are collecting or using data from individuals located in a country located in the EEA, in most cases GDPR will apply.

*Although Pseudonymous data is still subject to GDPR, pseudonymization is an appropriate way to safeguard Personal Data. In fact, GDPR requires that Personal Data be pseudonymized if the purpose of the research can be accomplished by using pseudonymized data.

GDPR identifies a subset of personal data, called Special Categories, that require additional protections. Special Categories are defined as personal data that reveals any of the following types of information about an individual:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic data
• Biometric data for the purpose of uniquely identifying a natural person
• Health condition, sex life and/or sexual orientation

If any Special Categories of Personal Data of an individual in the EEA is collected, used, or accessed for research purposes, the researcher must:

1. Explain to participants how and why their data will be used, and
2. Acquire explicit consent from each participant for using their special categories of personal data for each specific purpose. If the researcher has not collected the information him or herself, the researcher must ensure that the data subject has been informed of, and has consented to, the use of their special categories of personal data for the purposes intended by the researcher.

GDPR is applicable to a broad range of research activities. For example, GDPR may apply:

• When UCR acts as a sponsor of research occurring in EEA member states; and
• When UCR acts as a core data facility or lead site for a multi-national research study with EEA-based sites;

Where UCR is not obtaining any personal data from individuals located in the EEA, GDPR does not apply. This means that where UCR is only enrolling subjects locally (in the United States), and is merely providing personal data to a sponsor located in the EEA, GDPR does not apply. GDPR does apply to the sponsor in this case, but not to UCR.

However, GDPR does apply to UCR where UCR is receiving personal data of individuals located in the EEA from an EEA sponsor or where UCR is recruiting individuals located in the EEA to participate in studies being conducted in the United States.

Research studies that collect data online from EEA residents/visitors may also be subject to GDPR. GDPR has no “grandfather provision” or exemptions allowing use of data collected without GDPR-compliant consent. Therefore, it is unlawful to process any EEA data collected prior to May 25, 2018, unless it can be shown that each participant received GDPR-compliant notices and provided GDPR-compliant consent.

The only case in which data about individuals is not subject to GDPR is when the data is anonymized. Anonymization is a high standard under GDPR: all direct and indirect identifiers of an individual must be removed, and the researcher must implement safeguards that ensure that the data can never be re-identified. For data to be truly anonymized under GDPR, the anonymization must be irreversible.

Entities whose research activities meet at least one of the GDPR criteria described in the response to the “What types of research activities …?” question above are required to provide notice of privacy to each individual whose personal data is collected. This must include an explanation of the reason for collecting personal data as well as the individual’s rights regarding accessing/withdrawing the data and lodging complaints. UCR has created this Statement of Privacy Practices and Procedures for providing the institution’s privacy information to research participants.

When UCR researchers collect personal data from individuals in the EEA and intend to access the data in the United States, or transfer the data outside of the EEA, the researcher must also obtain consent from the individuals to transfer the data back to the U.S.. Thus, in most, if not all scenarios in which a researcher is collecting personal data, consent to transfer the data to the U.S. will be required. In addition to obtaining consent of the individual, GDPR requires that invidiuals also be informed that the United States does not protect personal data in the same manner as the EEA does.

If any of the data collected meet the definition of Special Categories of Personal Data, then GDPR requires an explanation of the need to collect sensitive data. In addition, each individual must give explicit consent to use that type of data. If the Special Categories of Personal Data will be transported outside of the EEA, individuals must give explicit consent for that as well.

This template can be adapted to provide GDPR-compliant Notice and Informed Consent for the participants in your research.