The General Data Protection Regulation (the GDPR or the Regulation) is a European law that expanded the privacy and security protections for individuals’ personal information. It regulates the collection, use, transfer, storing and other processing of personal information of individuals located in the EEA. The GDPR became effective on May 25, 2018. As of January 1, 2021, the United Kingdom (UK) will have completed its transition period to leave the European Union and the GDPR will then no longer apply to the UK. The UK government has, however, “said that it intends to incorporate the GDPR into UK data protection law from the end of the transition period – so in practice there will be little change to the core data protection principles, rights and obligations found in the GDPR.” The primary applicable law will be the UK Data Protection Act 2018 (the UK DPA).

The GDPR will very likely apply to your research if the research activities will:

• be conducted in association with an established organization in the EEA or UK,
• involve personal information collected from any person while they are in the EEA or UK,
• involve monitoring the behavior of persons while they are in the EEA or UK,
• involve transferring personal information out of the EEA or UK, or
• involve the secondary use of data that was protected by the GDPR or UK DPA when initially collected.

If you believe the GDPR or UK DPA may apply to your research, please submit the Tufts University GDPR Research Questionnaire (linked below). For other questions about GDPR see more on AccessTufts or contact dataprivacy@tufts.edu.