There is no author summary for this article yet. Authors can add summaries to their articles on ScienceOpen to make them more accessible to a non-specialist audience.
Abstract
The General Data Protection Regulation (GDPR) [1] comes into force across the European
Union on 25th May 2018. It is a major piece of legislation that will control how personal
data is used and stored, in order to protect an individual's privacy. Essentially
it updates the previous data protection laws and makes them fit for purpose in the
21st century.
Many of the provisions within the GPDR are aimed at organisations and designed to
prevent them from harming an individual's privacy. One of the often reported aspects
of this is the fact that a serious breach of the GDPR could result in a fine of up
to €20 million.
Whilst researchers and writers of case reports will hopefully not have to concern
themselves with this aspect of the GDPR, there are some key aspects of the GDPR that
they will need to consider.
According to Article 4 of the GDPR, “personal data” constitutes any information that
relates to a natural person that can identify them, either directly or indirectly.
Anyone who “processes” that information has to be aware of their responsibilities:
processing includes collection and dissemination of personal data.
To use an individual's personal data for research or publication purposes, consent
has to be obtained. The GDPR has considerably improved and strengthened the consent
requirement from that required in previous data protection laws.
Those who are relying upon an individual's consent to use their personal data for
research or publication purposes will need to prove that the individual has consented.
Consent cannot be via an “opt-out” procedure whereby if you don't opt-out your data
will be used. There is an onus to be able to prove that consent has been obtained.
Where the consent is obtained in a written document, the consent request has to be
‘clearly distinguishable from the other matters, in an intelligible and easily accessible
form, using clear and plain language’ (Article 7 (2)).
Children under the age of 13 cannot give their own consent (Article 8 (1)), and those
seeking to use a child's personal data have to take reasonable steps to verify that
the person with parental responsibility has provided consent.
Withdrawal of consent has to be as easy as the initial provision of consent. This
means that individuals must be told that they have a right to withdraw their consent,
and the ways in which they can do this.
Article 17 of the GDPR provides individuals with a ‘Right to erasure’. This allows
individuals to request that their data is erased and no further dissemination is allowed.
However, where the data is still required for the original reason for which it was
collected, it can still be used.
A final consideration for researchers and writers is that of pseudonymisation. This
refers to any process which renders the data in such a way that it cannot be attributable
to a specific individual. The GDPR still considers pseudonymised data to be personal
data and therefore covered by the provisions of the GDPR, meaning that the same care
has to be taken with it as with identifiable data.
Whilst the implementation of the GDPR can seem daunting, from the perspective of researchers
and writers of case reports, all that the GDPR is doing, essentially, is to give current
best ethical practice a legal standing.
Contributors
Marc Cornock is the sole author.
Conflict of interest
The author declares that he has no conflict of interest.
Funding
No funding was sought or secured in relation to this editorial.
Provenance and peer review
This editorial was commissioned and not externally peer reviewed.