How the writers of case reports need to consider and address consent and the General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) [1] comes into force across the European Union on 25th May 2018. It is a major piece of legislation that will control how personal data is used and stored, in order to protect an individual's privacy. Essentially it updates the previous data protection laws and makes them fit for purpose in the 21st century. Many of the provisions within the GPDR are aimed at organisations and designed to prevent them from harming an individual's privacy. One of the often reported aspects of this is the fact that a serious breach of the GDPR could result in a fine of up to €20 million. Whilst researchers and writers of case reports will hopefully not have to concern themselves with this aspect of the GDPR, there are some key aspects of the GDPR that they will need to consider. According to Article 4 of the GDPR, “personal data” constitutes any information that relates to a natural person that can identify them, either directly or indirectly. Anyone who “processes” that information has to be aware of their responsibilities: processing includes collection and dissemination of personal data. To use an individual's personal data for research or publication purposes, consent has to be obtained. The GDPR has considerably improved and strengthened the consent requirement from that required in previous data protection laws. Those who are relying upon an individual's consent to use their personal data for research or publication purposes will need to prove that the individual has consented. Consent cannot be via an “opt-out” procedure whereby if you don't opt-out your data will be used. There is an onus to be able to prove that consent has been obtained. Where the consent is obtained in a written document, the consent request has to be ‘clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language’ (Article 7 (2)). Children under the age of 13 cannot give their own consent (Article 8 (1)), and those seeking to use a child's personal data have to take reasonable steps to verify that the person with parental responsibility has provided consent. Withdrawal of consent has to be as easy as the initial provision of consent. This means that individuals must be told that they have a right to withdraw their consent, and the ways in which they can do this. Article 17 of the GDPR provides individuals with a ‘Right to erasure’. This allows individuals to request that their data is erased and no further dissemination is allowed. However, where the data is still required for the original reason for which it was collected, it can still be used. A final consideration for researchers and writers is that of pseudonymisation. This refers to any process which renders the data in such a way that it cannot be attributable to a specific individual. The GDPR still considers pseudonymised data to be personal data and therefore covered by the provisions of the GDPR, meaning that the same care has to be taken with it as with identifiable data. Whilst the implementation of the GDPR can seem daunting, from the perspective of researchers and writers of case reports, all that the GDPR is doing, essentially, is to give current best ethical practice a legal standing. Contributors Marc Cornock is the sole author. Conflict of interest The author declares that he has no conflict of interest. Funding No funding was sought or secured in relation to this editorial. Provenance and peer review This editorial was commissioned and not externally peer reviewed.