General Data Protection (GDPR) Guidance For Research

Tags Research GDPR

Overview

This article is intended to provide guidance and information on Europe's data security protections to researchers at the University of Oregon. General information about the GDPR may be found in the General Data Protection Regulation (GDPR) knowledge base article and it is recommended that you read the article before reading the article below.

Guidance

GDPR applies to processing personal data collected from any individuals located in the European Economic Area (EEA).

  • Processing generally means to work with the information in any way, including collecting, storing, sharing, analyzing, or archiving the information.
  • Personal Data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
    • The GDPR broadly divides personal data into three categories:
      1. Personal Information. This category includes, but are not limited to Name, email address, phone number, IP address, locations (GPS data), or identifiable photos (not taken in a public place).
      2. Special categories of personal data are considered more sensitive the general category of personal information. Special categories of personal data are: Racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, data concerning a person's sex life or data concerning sexual orientation.
      3. Data relating to criminal convictions and and offenses. This category of data includes data about criminal behavior, allegations and proceedings.  This category also includes criminal records, arrest history, details of criminal charges or investigations, sentencing information, or data from background checks related to criminal activity.

When does the GDPR apply to research?

GDPR broadly applies in three scenarios:

  1. Involving individuals in the EEA.
    • If research activities collect personal information from individuals in the EEA or involve personal information that was previously collected from individuals within  the EEA, then the GDPR will apply to those activities.
  2. Involving established organizations in the EEA.
    • If a study will involve another organization that processes personal information as part of the research activities and that organization is established in the EEA, then the information is protected by the GDPR, even if the processing occurs outside the EEA.
  3. Involving monitoring persons in the EEA.
    • Any personal information collected from an EEA resident, as a result of monitoring their behavior within the EEA, will be subject to the GDPR.

What are the roles under GDPR and what do they mean?

  • Data Controller is the entity (natural or legal person) that determines the purposes and means of processing personal data. This role carries the primary responsibility for ensuring GDPR compliance. If you are the principal investigator (PI) for a research study involving personal data collected from individuals within the EEA, it is likely that you are the Data Controller. Data Controllers must:
    • Establish lawful bases for data processing.
    • Ensure transparency and accountability.
    • Respond to data subject requests (e.g., access, erasure).
    • Maintain records of processing activities
  • Data Processor acts on behalf of the controller to process personal data. This role is often filled by third-party service providers. Processors must:
    • Follow the controller’s instructions.
    • Implement appropriate security measures.
    • Notify the controller of data breaches.
    • Maintain a Data Processing Agreement (DPA) with the controller.
  • Data Protection Officer (DPO) leadership role required for organizations that process large volumes of sensitive personal data. At UO, this will be the Chief Information Security Officer (CISO). Responsibilities include:
    • Advising on GDPR obligations.
    • Monitoring compliance.
    • Conducting data protection impact assessments when required for certain high risk data processing activities.
  • Data Subject is the individual whose personal data is being collected, held, or processed. Under GDPR, data subjects have several rights, including:
    • Right to Access: Know what data is being processed and why.
    • Right to Rectification: Correct inaccurate or incomplete data.
    • Right to Erasure ("Right to be Forgotten"): Request deletion of personal data under certain conditions.
    • Right to Restrict Processing: Limit how data is used.
    • Right to Data Portability: Receive data in a structured, commonly used format.
    • Right to Object: Oppose processing based on legitimate interests or direct marketing.
    • Rights related to Automated Decision-Making: Challenge decisions made solely by automated means.

What does GDPR require of a researcher?

As a Data Controller

  1. Use a lawful basis to collect personal data. The GDPR outlines six (6) bases under which personal data may be processed, including consent, contract, legitimate interest, legal obligation, vital interest and public task.
    • The UO Information Security Office recommends that consent be used as the basis to collect data. If a basis other than consent is used, the researcher should consult with legal counsel.
  2. Supply the Data Subject with a Privacy Notice. The notice must contain:
    • What Information will be collected.
    • Purpose for which the data was collected.
    • Who the data will be shared with
    • Data retention timeline
    • Notice of rights under GDPR and how to exercise them
      • E.g., Contact the PI via the email address provided.
  3. Obtain valid consent, if using consent as a legal basis for data collection.
    • For personal data, unambiguous consent must be given. This means that you must tell the data subject what the purpose of the collection is, and if the data will be used in future studies.
      • E..g., A user checks a box that was initially blank ("pre-consent, or consent by default is not allowed), and suppliers their name and email address to receive a newsletter. The user is clearly informed that they may also receive related marketing information to the newsletter.
    • For special categories of sensitive data, explicit consent is required. This means the data subject must be clearly informed of the specific purpose for data collection and any intended future uses. If a researcher cannot specify those future uses, the data must not be reused without obtaining new explicit consent for the updated purpose.
    • For criminal offense data, legal authority is required. Contact legal council for information on how to proceed if your research involves this type of data.
  4. Establish and document a plan to manage research security.
    • Practice data minimization.
      • Collect only the necessary data and;
      • Retain data for only as long as is necessary and securely delete it afterward.
    • Utilize pseudonymization and encryption. 
      • Sensitive data should be anonymized pseudonymized or encrypted to reduce risk in case of a breach.
    • Implement strict access controls.
      • Limit access to sensitive data to authorized personnel only.
      • Implement role-based access controls (RBAC) and multi-factor authentication (MFA).
    • Accountability and documentation.
      • Maintain a Record of Processing Activities
      • Document all decisions, safeguards, and risk assessments to demonstrate compliance.  
  5. Ensure external collaborators are compliant with GDPR.
  6. If interested, seek training on GDPR.
  7.  Ensure that each research team member understands that GDPR applies and their required actions.
  8. If necessary, form a Data Protection Impact Assessment (DPIA) before any data is collected.
    • A DPIA is required when:
      • Large-scale processing of sensitive data categories are involved (e.g., health, racial, biometric, or financial data).
        • E.g., a bus operator about to implement on-board cameras to monitor drivers’ and passengers’ behavior. 
      • There is systematic monitoring of public areas, such as through surveillance systems.
        • E.g., a hospital about to implement a new health information database with patients’ health data.
      • The processing involves profiling or automated decision making that significantly affects individuals.
        • E.g., A bank screening its customers against a credit reference database would require a DPIA.

As a Data Processor

If a researcher is receiving data as part of a research study, and they are acting as a Data Processor,  they must follow the contractual terms established by the Data Controller.

Frequently Asked Questions

  1. What if our research will involve de-identified data, will the GDPR apply?
    • If you receive the data fully anonymized, no, GDPR does not apply.
    • However, if your data is pseudonymized data, where a key exists, the GDPR applies. 
  2. My research uses only publicly available data, will GDPR apply?
    • Under the GDPR, if personal data is processed, even if it originates from a public dataset, the regulation still applies. Typically, public datasets are distributed with specific terms outlining how the data may be used, and researchers must adhere to those terms..
  3. My research involves animals; none of the research subjects are persons. Will the GDPR apply?
    • Maybe – GDPR applies to human ("natural persons")s, however are you collecting owner names? If so, GDPR applies to the personal data of the animals' care takers. 
  4. What countries comprise the European Economic Area (EEA)?
    • The EEA consists of the 27 European Union (EU) countries, with the addition of three of the European Free Trade Association (EFTA) countries
    • The EU countries are: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czechia, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden.
    • The three EFTA countries the EU GDPR applies are: Iceland, Liechtenstein, and Norway.
  5. What about the United Kingdom? The UK left the EU in 2020, does the GDPR still apply?
    • The EU GDPR will not apply, however the UK has established the UK GDPR.

Need Help?

The Information Security Office can help! Send us an email at isrc@uoregon.edu, or submit a service request using the Information Security Consulting Request.

Resources

Print Article

Related Services / Offerings (1)

Information Security Consulting Request
Contact the Information Security Office to report data exposure, compromised investigation, along with requesting DNS Blocking, and other information security consulting services.