by Elizabeth Peterson

Balancing Privacy and Innovation: The GDPR Is Almost Here

May 2018 is fast approaching, meaning the implementation of the European Union’s new General Data Protection Regulation (GDPR) is almost upon us. This new regulation aims to harmonize the current data protection laws in place across the E.U. and resolve the export of personal data outside the E.U.

Unlike the existing E.U. Data Protection Directive, which allows each member state to adopt established principles into their own domestic legislation, the GDPR does not require national implementation. However, each member state must still establish an independent supervisory authority to enforce the rules as in the previous Directive.

The GDPR, while increasing restrictions and obligations for those using personal data, also strikes a balance between privacy and innovation, and it emphasizes transparency and necessity in data processing. This is evident in its broad interpretation of the term “research” and expanded definition of acceptable grounds for processing1 sensitive personal data, as well as how processors2 and controllers3 must handle data, stating, “Personal data shall be processed lawfully, fairly, and in a transparent manner in relation to the data subject.”

To better understand how the GDPR impacts researchers and others handling personal data, it is important to understand the current regulatory framework, then to consider the fundamental changes the GDPR poses.


Current Regulatory Framework

The E.U. Data Protection Directive governs the collection, holding, processing, disclosure, and transfer of individuals’ personal information (including internet and cloud-based activities). Under the Directive, individuals have enforceable rights when entities are processing their personal data, including:

  • The right to be informed in a clear and understandable language that personal data is being processed
  • The right to have access to one’s own personal data
  • The right to rectify any wrong or incomplete information
  • The right to receive compensation from the data controller for any damage the data subject suffers from this use of their personal data


How Does the GDPR Affect Research?

The GDPR adopts a broad interpretation of research that encompasses publicly and privately funded research (including public health research), technological development, and applied research. (Recital 159)

The broad interpretation of research is not the only expansion that will affect researchers. One of the most significant changes brought by the adoption of the GDPR is the broadening of its territorial scope.

Unlike the Directive, the GDPR includes controllers residing outside of the E.U. but processing personal data of E.U. residents. The GDPR applies if the processing activities are related to offering goods or services (paid or unpaid) to E.U.-residing data subjects or monitoring those subjects’ behavior when that behavior takes place within the E.U. This means that a researcher in the United States or Canada processing data from E.U. residents will be held to GDPR standards.

In the same vein, the GDPR goes beyond the Directive regarding processor liability. The Directive holds processors liable for damages caused by violations of the Directive only insofar as it has contractual liability to a controller. Now, processors are held to the same standard as controllers and are directly liable; individuals may now bring claims directly against processors for damages caused by the unlawful processing of their data. Given the expansion of the territorial scope, this means that a non E.U.-based researcher may be directly liable to an E.U. resident for damages if there are GDPR violations.

Under the GDPR, research entities might find a greater basis for processing “sensitive personal data,” including health data, as the GDPR allows new data processing without consent if necessary for reasons of public interests in public health, as well as for historical or scientific research purposes or statistical purposes, subject to appropriate safeguards and respecting the individual’s fundamental rights, their interests, and their data protection rights.

This change emphasizes the GDPR’s general encouragement of well-managed innovation, as it allows the possibility of public interest outweighing personal privacy rights. By providing a means by which sensitive personal data may be processed outside of the traditional avenues of consent, the GDPR opens up possibilities for undertaking new research projects with wide ranging implications.

Lastly, researchers may also benefit from secondary processing of personal data without the need for additional consent. Under GDPR’s Recital 50, processing data for a secondary purpose is permitted so long as it is compatible with the purposes for which the personal data was originally collected. No additional legal basis is needed for the second collection.

In addition to this, the recital states that further processing for scientific research or statistical purposes should be considered to be compatible lawful processing operations. This directly contrasts the Directive, which specifies that sensitive personal data may be permitted for secondary uses only with consent.



While creating a consistent, overarching framework for all E.U. member states, the GDPR aims to increase data protections while encouraging growth and innovation. The opportunity to use sensitive personal data for research purposes appears to expand under this new regime, although so too does the downstream liability for processors.

As May 2018 approaches, researchers should consider whether and how they plan to leverage the apparent newfound flexibility in the E.U. for data-based research.


FDA Software Precertification Program

Executive Insight

Mitchell Parrish, JD, RAC, CIP, VP of Legal and Regulatory Affairs

Data protection is certainly on everyone’s mind with large scale security breaches seemingly commonplace in the news.  The arrival of GDPR seems timely and is a reminder that there are best practices that help reduce the chance of information being compromised. For those involved in medical research in the E.U., this is not just another requirement, but an opportunity to further ensure that sensitive personal information is protected.



1 Processing under the current Directive means “any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.” Directive 95/46/EC Art. 2(b)

2 Processor means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller. The definition of “processor” remains the same in the Directive and the GDPR.

3 Controller under the current Directive means “the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law.” Directive 95/46/EC Art. 2(d). The definition of “controller” remains virtually the same in the GDPR Art. 4(7).

Tags: , ,