The European Economic Area (EEA) and the United Kingdom (UK) have additional requirements regarding data privacy, referred to as the GDPR. When UW-Madison is working with personal data collected in, or transferred from, any EEA country (any EU member states plus Norway, Iceland, and Liechtenstein) or the UK, GDPR will be relevant. This includes data collected, obtained, or used for research projects. “Personal data” means any information relating to an identified or identifiable person. Data that is coded with links to identifiers, or “pseudonymized” in GDPR terminology, is still subject to GDPR. GDPR does not apply to anonymized data. However, there is no de-identified (or anonymized) safe harbor similar to HIPAA. Whether data is anonymized per GDPR must be determined based on the facts and circumstances, considering all the means reasonably likely to be used to identify the person, directly or indirectly. Failure to follow GDPR if it applies puts the University at risk of noncompliance, monetary fines, and reputational harm so it critical to understand and assess whether GDPR applies to your study.

GDPR requires a legal basis to collect and process (e.g., analyze) personal data. In order to use personal data for research, the legal basis that generally will apply is consent from the data subject.

Consent must be freely given, specific, informed, and unambiguous as to the data subject’s wishes by a statement or by a clear affirmative action:

Freely given means the individual must have a realistic choice, or the realistic ability to refuse or withdraw consent. Individuals in a position of authority cannot obtain consent, nor can consent be coerced.

Specific means the consent must be explicit and transparent and contain the following information:

  • Identity of the Principal Investigator
  • Purpose of the data collection
  • Types of data collected, including listing of any special categories of data. This includes information about a data subject’s health, genetics, race or ethnic origin, bio-metrics for identification purposes, sex life or sexual orientation, political opinions, religious or philosophical beliefs, or trade union membership
  • The right to withdraw from the research and the mechanism for withdrawal
  • Identify who will have access to the data
  • Time period for which data will be stored (can be indefinite)
  • Information regarding data security, including storage and transfer of data
  • Information regarding automated process of data for decision making about the individual, including profiling
  • Whether and under what conditions data may be used for future research, either related or unrelated to the purpose of the current study

Informed means that subjects are made aware of the risks, how their data will be safeguarded, their rights in relation to the research (as described below), and how to exercise those rights.

Unambiguous means consent is given through a statement or clear affirmative action.

  • This may be by a written or oral statement or other affirmative act demonstrating consent. For instance, checking a box can indicate consent, while silence or pre-ticked boxes that require unchecking (opting out) cannot.
  • Investigators should be able to demonstrate that a particular subject consented to the research. Consent records, including time and date of consent, must be maintained for each data subject.
  • If the consent form serves multiple purposes, the request for consent must be clearly distinguishable within the document.
  • There is no ability for the IRB to waive informed consent under GDPR.

Additionally, there are certain rights that data subjects have:

  • The right of access to their data
  • The right to request corrections to their data
  • The right to withdraw and to request erasure of their data. In this case, data may be retained only if it is anonymized or if another legal basis exists to retain the data. This may include:
    • The need to protect scientific research if deletion would render impossible or seriously impair the research objectives; or
    • The need to protect the public health by ensuring the accuracy and quality of data related to medical care or to investigational drugs and devices
  • The right to request transfer of their personal information to a third party (such as a personal physician) in a format suitable for re-use

Contact the IRB office or the UW Office of Legal Affairs to ensure that the following elements of the research are consistent with institutional policies and interpretations of EU GDPR:

  1. Any applicable study design elements related to data security measures.
  2. Procedures related to broad/unspecified future use consent for the storage, maintenance, and secondary research use of identifiable private information or identifiable biospecimens.