The General Data Protection Regulation (GDPR) and Research Activities

What is the GDPR?

The General Data Protection Regulation (GDPR) is a comprehensive set of privacy regulations adopted by the European Union to protect the collection, use, and transfer of personal information of individuals in the European Union.   The GDPR applies to all EU individuals, organizations established in the EU, and certain non-EEA organizations (including, potentially, MIT) that process personal data of individuals in the EU. The regulations also apply to certain non-EU countries, such as Switzerland, and all countries in the European Economic Area:  Iceland, Liechtenstein, and Norway.  For clarity, we will refer to the relevant GDPR countries, collectively, as the “EEA.”

What is personal data?

Under the GDPR, “personal data” refers to any information that relates to an identified or identifiable natural person (i.e., an individual, not a company or other legal entity).  Examples of “personal data” include a person’s name, email address, government-issued identification, other unique identifier such as an IP address or cookies, and personal characteristics, including photographs.

The GDPR also defines certain “special categories” of personal data, which require a higher level of protection due to their sensitive nature and consequent risk for greater harm. This includes information about an individual’s health, genetics, race or ethnic origin, biometrics for identification purposes, sex life or sexual orientation, political opinions, religious or philosophical beliefs, or trade union membership.

How could the GDPR impact my research?

If you plan to collect “personal data” from participants residing in the EEA, your project may be subject to the GDPR.  In designing your protocol, you will need to consider the following issues:

· What personal data will be collected and whether any special categories will be included;

· How will the personal data be collected and by whom?

· Who will take the responsibility of providing the required informed consent; and

· How will the information be transferred out of the EEA to MIT.   

What if my collected personal data is not readily identifiable?

Even if your data is not readily identifiable, it may still be subject to GDPR protection.  For example, coded data, referred to as “pseudonymized data” in the GDPR, is still considered personal data even where the researcher does not have access to the key or code.  On the other hand, the GDPR does not apply to data that have been anonymized.  

Where can I find more information about the GDPR?

For more information regarding the GDPR, including FAQs and templates, please see the GDPR resource page at the Risk Management & Compliance Services (RMCS) website.