This series of Frequently Asked Questions (FAQs), developed for Tufts University researchers, focuses on the General Data Protection Regulation (the GDPR) and how it may apply to your research, whether it is human subject research or other research that may include any identifying information about natural persons. This guidance explains when research activities fall within the scope of the GDPR and describes its requirements.

IRB approval will not be provided for any University research study involving human subjects that is subject to the GDPR without confirmation of GDPR compliance from the Office of the Vice Provost for Research.

Abbreviations and Definitions:

EU: The European Union is an economic and political union among 28 European countries.

EEA: The European Economic Area unites the 28 EU member states and the three EEA European Free Trade Association states (Iceland, Liechtenstein, and Norway) into an internal market governed by the same basic rules. See FAQ II(3).

EDPB: The European Data Protection Board was established by the General Data Protection Regulation (GDPR). As an independent European body, the EDPB contributes to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU’s data protection authorities. For more information, see the European Data Protection Board website: https://edpb.europa.eu/.

Health Sciences IRB: The Health Sciences Institutional Review Board for Tufts University and Tufts Medical Center.

HIPAA: The Health Insurance Portability and Accountability Act.

SBER IRB: Tufts University’s Social, Behavioral and Educational Institutional Review Board.

DPIA: A Data Protection Impact Assessment under the GDPR. See FAQ IV(9).

Processing: Processing data under the GDPR generally means to work with the information in any way, including collecting, storing, sharing, analyzing, or archiving the information. The GDPR defines “processing” as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.” (GDPR Article 4(2))

Frequently Asked Questions about the GDPR and Research

These FAQs are organized into the following sections based on these core questions:

1. What is the GDPR?
2. Will the GDPR apply to my research?
3. Are there changes I can make to my research protocols that will ensure GDPR does not apply to my research?
4. Are there changes I can make to my research protocols that will facilitate compliance with the GDPR?
5. If the GDPR applies to my research, what kinds of actions can I expect my research team will need to complete before our research may proceed?
6. What next steps do I need to take now?
7. Whom do I contact with my questions? What general resources are available?

I. What is the GDPR?

1. What is the purpose of the GDPR?

The General Data Protection Regulation (the GDPR or the Regulation) is a European law that expanded the privacy and security protections for individuals’ personal information. It regulates the collection, use, transfer, storing and other processing of personal information of individuals located in the EEA.

The GDPR became effective on May 25, 2018. As of January 1, 2021, the UK will have completed its transition period to leave the European Union and the GDPR will then no longer apply to the UK. The UK government has, however, "said that it intends to incorporate the GDPR into UK data protection law from the end of the transition period - so in practice there will be little change to the core data protection principles, rights and obligations found in the GDPR." UK ICO Data Protection at the end of the Transition Period. The primary applicable law will be the UK Data Protection Act 2018 (the UK DPA).

2. I am based in the United States. Why might the GDPR affect my research?

The GDPR will very likely apply to your research if the research activities will:

• be conducted in association with an established organization in the EEA,
• involve personal information collected from any person while they are in the EEA,
• involve monitoring the behavior of persons while they are in the EEA,
• involve transferring personal information out of the EEA, or
• involve the secondary use of data that was protected by the GDPR when initially collected.

3. Why is it important to comply with the GDPR?

Noncompliance with the GDPR could result in your research being terminated.

Failure to comply with the GDPR will put not only Tufts, but also your research, at risk for:

• High fines
• Regulatory orders requiring discontinuation of research activities
• Violations of grant or other funding covenants, resulting in loss of funding
• Reputational harm

4. Is it possible to apply for a waiver to the application of GDPR?

No. The GDPR does not provide a procedure to be exempted from its requirements.

II. Will the GDPR apply to my Research?

1. In what situations will the GDPR apply to research? What kinds of connections to the EEA would cause the GDPR to apply to my research?

There are three types of situations that are subject to the GDPR.

A. Involving persons in the EEA.

If research activities collect personal information from individuals while they are in the EEA or involve personal information that was previously collected from persons while they were in the EEA, then the GDPR will apply to those activities. This scenario applies even if none of the organizations associated with the research are or were established in the EEA at the time of collection. Protection for the personal information must continue after the person leaves the EEA.

B. Involving an established organization in the EEA.

If your study will involve another organization that processes personal information as part of the research activities and that organization is established in the EEA, then the information is protected by the GDPR, even if the processing occurs outside the EEA. To process data under the GDPR generally means to work with the information in any way, including collecting, storing, sharing, analyzing, or archiving the information.

C. Involving monitoring persons in the EEA.

If a person is present in the EEA, any personal information collected from them as a result of monitoring their behavior within the EEA will be subject to the GDPR.

2. My study will collect information using an online survey. Will the GDPR apply?

Maybe, if the survey may be accessed by persons while they are in the EEA. One alternative is to block IP addresses from the EEA. Another option to reduce the likelihood the GDPR will apply is to avoid promotion of the survey or the study in any way in the EEA.

3. In what countries does the GDPR apply?

GDPR Countries

Austria	Finland	Lithuania	Slovenia
Belgium	France	Luxembourg	Spain
Bulgaria	Germany	Malta	Sweden
Croatia	Greece	Netherlands	United Kingdom
Cyprus	Hungary	Poland	Iceland
Czech Republic	Ireland	Portugal	Liechtenstein
Denmark	Italy	Romania	Norway
Estonia	Latvia	Slovakia	Switzerland

4. What personal information does the GDPR regulate?

GDPR personal data includes any information that identifies or could identify a person.

Personal data protected by the GDPR is much broader than Personal Health Information protected by HIPAA or other types of personal information protected in the United States, such as Social Security numbers and financial account numbers.

The list below includes examples of personal data. This is not a complete list.

• Name
• Email address
• Phone number
• Social Security numbers and other identification numbers
• Location data
• User names
• Online identifiers
• IP addresses
• Online cookie data
• Images
• Voice
• Distinctive body markings
• Content generated by the individual
• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Physical or mental health information
• Sex life and sexual orientation
• Genetic and biometric data

A name alone is personal data.

It is not necessary to have a name associated with the information. If the information, taken in the aggregate, could be used to identify a person, it is personal data protected by the GDPR.

5.  My research involves animals; none of the research subjects are persons. Will the GDPR apply?

If your research will collect or otherwise include personal information of persons, then the GDPR will very likely apply. For example, if your research will collect the contact or other identifying information of the animals’ owners, then that personal information will be protected by the GDPR. GDPR protection extends beyond the immediate subjects of the research to third parties.

6. If our research will only involve information that is publicly available, will the GDPR apply?

Generally, personal information is protected even if it has been otherwise publicly disclosed. The GDPR provides protection not only for maintaining privacy, but also for how personal information is used.

7. If our research will involve de-identified data, will the GDPR apply?

Anonymized information is not personal data under the GDPR.

The GDPR does not include guidance on what practices to follow to sufficiently anonymize personal information to remove the data from regulation under the GDPR.

HIPAA de-identified information will be considered pseudonymized personal data under the GDPR, not anonymized. So long as a key exists to re-identify information, even if the key is sequestered from the research team, the information will not qualify as anonymized.

Under the Regulation, anonymous information neither identifies an individual nor makes it possible to identify an individual.

To discuss anonymizing information, contact the IRB staff for your research, at either the Health Sciences IRB or the SBER IRB.

8. To which persons does the GDPR apply? Does the GDPR only apply to EEA citizens and residents?

The GDPR applies to all persons located in the EEA. There is no requirement that a person be an EEA citizen or an EEA resident.

On the other hand, the GDPR does not apply to EEA citizens while they are located outside of the EEA and participate in research studies, provided, none of the organizations associated with the research study are established in the EEA and the personal information is not transferred into the EEA.

9. Our research team will be contracting with translators and other third-party service providers. Will the GDPR apply to those persons?

The contact and other limited personal information your research team will need for those persons will not be in scope for the GDPR, unless the research is conducted in connection with a Tufts establishment in the EEA.

10. Does the GDPR have any requirements for research involving children?

Yes. There are special protections for children under the age of 18. If your study includes minors, contact the IRB staff for your research, at either the Health Sciences IRB or the SBER IRB.

11. Does the GDPR apply to the personal information of deceased persons?

No, it does not. However, your study may still need to comply with other regulations in each country.

12. Our research team will be working with a research team from a European organization that controls the research. Will the GDPR apply to our work?

Yes. You will need a contract with the European organization that addresses the GDPR’s requirements and the other obligations each party has. Contact Pre-Award Staff or the IRB staff for your research, at either the Health Sciences IRB or the SBER IRB.

13. My research does not involve collecting new personal information. We will be working with an existing data set. Will the GDPR apply?

If the information will be fully anonymized before your team receives it, then the GDPR will not apply. See FAQ II(7).

If the information will not be anonymized, then the GDPR will very likely apply if the data set includes information that was:

• collected by an established organization in the EEA
• collected from any person while they were in the EEA, or
• transferred out of the EEA.

III.  Are there changes I can make to my research protocols that will ensure the GDPR does not apply to my study?

1.  Could the study’s objectives be met without including personal information from the EEA? Is the inclusion of personal information from the EEA expected to be incidental?

If you expect that personal information from EEA countries could be excluded from the study without a negative impact, then consider including measures in the protocol to exclude that information and, by doing so, ensuring the GDPR does not apply to your study.

Examples:

• For studies that will collect information using an online survey, access to the survey might be blocked for persons in the EEA by blocking IP addresses from the EEA.
• For studies that will collect information by phone, the callers would always call from outside the EEA and ask where the person is located.
• If contact with research subjects is to be made by mail, then all addresses that are in the EEA would be removed.

If you are interested in discussing this approach, including methods to avoid collection of personal information from an EEA country, please contact the IRB staff for your research, at either the Health Sciences IRB or the SBER IRB.

2. Could all the EEA personal data the study collects or otherwise processes be anonymized?

Anonymizing the EEA personal data under the GDPR can be difficult. See FAQ II(6) above. But if your study can be structured to only collect and use anonymized information in every stage of the study, then you will not be required to comply with the GDPR’s restrictions.

If anonymization is accomplished later in the study, the Regulation will apply until the anonymization has been effected, but will not apply afterward to the anonymized data.

If the personal information to be processed has already been collected as part of an earlier study, or will be collected separately from your study, then you could consider requiring anonymization before you receive the data.

If you can have a third party anonymize the data in the EEA and only transfer the anonymized data to the United States, any effort to comply with the GDPR would be much simpler.

Contact the IRB staff for your research, at either the Health Sciences IRB or the SBER IRB to discuss anonymization methods.

IV. Are there changes I can make to my research protocols that will facilitate compliance with the GDPR?

Consider incorporating these recommendations in your study’s protocols to lessen the impact of the GDPR’s administrative requirements, while continuing to meet your study’s objectives.

1. Minimize the personal information collected and processed.

Data minimization is one of the core principles of the GDPR. See FAQ I(3).

Consider the range of information your study will be collecting. Are all types of information necessary to meet the study’s purposes? Are the categories of personal information, and the specific data items, tailored to the study’s focus? The fewer types of personal information collected, the less risk there will be to the data subjects’ privacy, and the less risk there will be of noncompliance.

2. When possible, don’t collect sensitive information.

The GDPR includes more stringent protections for the following “special categories” of personal data:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Physical or mental health information
• Sex life and sexual orientation
• Genetic and biometric data

If you eliminate these types of information from your study, you will reduce the level of scrutiny the GDPR will require for your research.

3. Do not collect information about criminal offenses or convictions.

The GDPR’s restrictions for criminal offense or conviction information are very strict. The GDPR states that this information may only be collected and processed if the research is under the control of an official authority of an EEA country or if the processing is authorized by Union or Member State law.

If your research will involve criminal offense or conviction information, contact the IRB staff for your research, at either the Health Sciences IRB or the SBER IRB.

4. If anonymization is not possible, pseudonymize the personal information whenever feasible.

The GDPR encourages the practice of reducing the identifiability of personal information by using pseudonymization as a safeguard for data subjects. Under the GDPR, data is pseudonymized if

• The information cannot be attributed to a specific individual without the use of additional information (i.e. a “key”)
• The key is kept separately from the data set
• Access to and use of the key is protected by technical and administrative measures. The key must be kept separately, but designated, authorized persons within the research team may have access.

The GDPR’s requirements are less restrictive if personal information is pseudonymized. For example, some of the rights data subjects otherwise have (see FAQ IV(10) below) will not apply.

Contact the IRB staff for your research, at either the Health Sciences IRB or the SBER IRB, to discuss how to pseudonymize the data.

5. If consistent with your study’s objectives, consider excluding minors as data subjects.

The GDPR permits the processing of personal information of minors. It imposes a requirement that the informational notice and any consent for minors be adapted to their level of understanding. The inclusion of minors should be factored in to the weighing of the subjects’ privacy rights against the research study’s requirements. We expect the level of scrutiny by supervisory authorities will be higher if minors were involved in the research.

6. Consider not transferring the data collected in the EEA out of the EEA.

The GDPR includes restrictions not only on processing personal data, but on transferring personal data out of the EEA. If your study will be able to be completed without transferring the personal information out of the EEA, or if anonymization can be accomplished before the transfer, then the study will not be subject to the GDPR transfer restrictions. See FAQs IV(7), V(3) and V(7) below. FAQ V(7) discusses how using some IT apps and tools may be considered as effecting a transfer out of the EEA.

7. When you select IT tools and applications for use by your study, consider whether they are already GDPR compliant.

All IT apps and tools provided by third parties that store personal information off site must be approved for use with EEA personal data. Likewise, all IT apps and tools that will enable any third party to access the personal data or that will involve other processing of the data by a third party, must be approved for use with EEA personal data. Examples include an app or tool that stores the information in the cloud or that requires transferring the data to the third party.

To meet the GDPR’s requirements, the app or tool’s provider must confirm in writing to Tufts that the provider and the app or tool are GDPR compliant.

Many of the University’s most commonly used apps and tools are approved for use with personal data regulated under the GDPR, but there are some Tufts provisioned apps and tools that are not yet approved. As part of the GDPR review of your study, the apps and tools you intend to use will be reviewed.

If you anticipate using an app or tool not currently licensed by Tufts on a university-wide basis for GDPR regulated data, it is especially important to contact dataprivacy@tufts.edu as soon as possible. Confirming GDPR compliance for a new vendor involves a security review and a signed, written addendum, which often requires considerable lead-time.

See also FAQ V(7).

V.  If the GDPR applies to my research, what kinds of actions can I expect my research team will need to complete before our research may proceed?

1.  Provide GDPR informational notices for research subjects and other data subjects.

You must provide GDPR informational notices to prospective research subjects and to enrolled research subjects before any personal information is collected.

The notices must disclose what personal information will be collected, the purposes for which it will be used, whom it will be shared with, and how long it will be retained, as well as information about an individual’s rights under the GDPR and how to exercise them. These requirements may be met by supplementing other notices that will otherwise be provided to individuals.

2.  Obtain a consent for transferring personal information out of the EEA to the US or to another non-EEA country.

If personal information will be transferred out of the EEA, your study will be required to have a separate justification for that transfer. The US and most non-EEA countries do not meet the GDPR’s privacy requirements to be exempted from this requirement.

For example, if your research team will collect personal information in the United Kingdom, and then upload the personal information into a Tufts Box folder, which stores information in the US, your study will need to obtain consents to this exporting of the information out of the EEA before the transfer occurs. Other examples are using Qualtrics to collect survey data or storing data on a laptop and travelling with the laptop back to the US.

It’s very important to understand that any consent to transfer will be separate and distinct from the informed consent required from research subjects for purposes of meeting ethical standards or research procedure requirements.

 

The GDPR requires that consent be:

• Freely given, that is, the individual has a realistic choice;
• Specific;
• Informed;
• Clear and unambiguous; and
• Affirmatively given. Pre-ticked boxes should not be used. For "special category" information (see FAQ IV(2)), we recommend obtaining a signature (electronic or hand-written) to meet a higher requirement of an "explicit" consent.

3. For secondary uses of data sets, have a justification for processing and for transferring the personal information.

The GDPR has introduced new challenges to the secondary use of personal information related to or incorporated in research data collected in the EEA or otherwise subject to the Regulation. Secondary use of such personal data requires a justification under the GDPR, as will any transfer of the personal data out of the EEA. The provider of the data set should confirm the data was collected in compliance with the GDPR and that the anticipated use by your research team will also be permitted under the GDPR. The EDPB’s guidance for secondary use of personal data is limited. For secondary data processing, the IRB staff for your research, at either the Health Sciences IRB or the SBER IRB, will ask you for information so they are able to review compliance with the GDPR.

4. Requirements for valid consents, if obtaining a consent.

5. Establish a plan to handle and manage the research information securely.

EEA personal data must be protected from disclosure and unauthorized use (i.e., in keeping with the initial notice). Personal information may not be shared outside of the research team. Technical security protections, including encryption, should be employed. Pseudonymization is strongly recommended whenever possible.

All Tufts research studies subject to the GDPR are required to comply with Tufts’ GDPR Data Handling Guidelines. These are available from the IRB staff for your research, at either the Health Sciences IRB or the SBER IRB, or by emailing dataprivacy@tufts.edu.

Assistance with preparing strategies for data management is available from:

• Tufts Technology Services Research Technology Services
• With respect to securing data, Tufts Technology Services Office of Information Security, at it@tufts.edu
• For Data Management Plans: staff at the University’s libraries, including Tisch Library Data Management Services.

6.  Verify all IT apps and tools are GDPR compliant and use them in a manner that meets the GDPR’s requirements.

As part of the GDPR review, you will be asked to provide a list of all IT apps and tools that will be used in connection with the research activities. See FAQ IV(8). If the configuration of the app or tool provides for a third-party vendor to store the information, such as in the cloud, there must be documentation of the vendor’s GDPR compliance.

The GDPR’s requirements may also limit how your study uses an otherwise approved app or tool. Apps and tools that store data outside of the EEA, but are used by research subjects to submit data for a study, will generally be considered as effecting a transfer out of the EEA. Examples include Qualtrics and Box. It’s recommended that a consent to the “transfer” of that data out of the EEA be obtained either before the app or tool is used, or in the case of a survey tool, as the first action of the research subject.

7. If there will be any external collaborators, negotiate a collaboration agreement that includes assurances the collaborators will comply with the GDPR.

If your research will involve collaborating with other organizations, including universities, medical centers, pharmaceutical companies, and nonprofit policy centers, the terms of that relationship will need to be documented in a written agreement. That agreement must include a section allocating the compliance responsibilities and liability under the GDPR. Contact Pre-Award Staff for assistance.

8. Obtain written confirmation from all service providers that they will act in compliance with GDPR.

If your research study will use any external service providers, then you will need to obtain a commitment from them to comply with the GDPR. Examples include organizations that provide translation or enumeration services, as well as consultants.

9. Obtain the approval of the Tufts University Office of the Vice Provost for Research as a condition of the IRB approval.

The Health Sciences IRB and the SBER IRB will be working with the Office of the Vice Provost for Research to coordinate the approval of research protocols. IRB approval will not be provided without the approval of the Office of the Vice Provost for Research.

10. Include training in the GDPR’s requirements for your research team in your study plan.

To facilitate your study’s research activities, your research team should be trained on how their actions will be impacted by the GDPR’s requirements.

11. If necessary, prepare a Data Protection Impact Assessment (DPIA).

See FAQ IV(9) above for when a DPIA is required and what is required to be included. Contact the IRB staff for your research, at either the Health Sciences IRB or the SBER IRB, for assistance with preparing a DPIA.

VI. If the GDPR applies to my research, what kinds of actions can I expect my research team will need to do while conducting our research?

1. Follow your study’s plans for managing the personal information securely.

Throughout the study, ensure that the EEA personal information is protected by following secure handling practices, including those in the data management plan developed for the research. Follow the practices identified in Tufts’ GDPR Data Handling Guidelines, available from the IRB staff for your research, at either the Health Sciences IRB or the SBER IRB, or by emailing dataprivacy@tufts.edu.

2. Enable subjects’ rights.

Your research team will need to be prepared to enable data subjects to exercise their EEA rights. Those rights may be exercised by a verbal request or in writing. See FAQ IV(10) above.

3. Give notice if a breach may have occurred.

The EEA governmental authorities must be notified within 72 hours of a security breach involving the EEA personal data. See the information below on whom to contact. Do not contact the EEA authorities directly.

Your research team should call the TTS Service Desk immediately in the event a breach is suspected. The TTS Service Desk may be reached 24/7 at 617 627-3376. The Data Privacy Team, working with TTS Information Security and the University Counsel’s office, and with the Office of the Vice Provost for Research, as needed, will evaluate the event and the necessary actions to be taken.

More information on security incidents is available at: Identifying and Reporting a Security Incident.

4. If your research team needs to make changes to your study’s protocol, an updated GDPR analysis may be required.

Significant changes to your study’s protocol may require an updated GDPR review. The following changes would generally not be considered sufficiently significant to require a renewed analysis of GDPR compliance:

• A change only in the individuals who are members of the research team, provided the change does not also involve a new EEA country for the study’s activities or other changes in the protocol;
• A small change in the number of research subjects; or
• Adding a new site in an EEA country that was included in the protocol when previously approved.

If your team will be proposing a significant change in the study’s protocols, the IRB staff will contact the Tufts University GDPR and Research Review Committee for an updated GDPR review. The Health Sciences IRB and the SBER IRB will not approve the change without the concurrence of the Tufts University GDPR and Research Review Committee.

VII. What next steps do I need to take now?

If your study will involve primary research, rather than the secondary use of a data set, please ask the staff at either the Health Sciences IRB or the SBER IRB for a GDPR University research questionnaire. By answering the questionnaire, you will provide the information needed to determine whether the GDPR applies to your research, as well as what actions will be required to comply with the GDPR.

If you are unsure whether GDPR will apply to your study, the questionnaire will lead you through a series of questions to help evaluate your study in the context of the GDPR. If it does not apply, you will only need to answer a few questions; by answering the questionnaire, you will have documented that GDPR does not apply.

If your research study will involve the secondary use of a data set, please contact the IRB staff for your research, at either the Health Sciences IRB or the SBER IRB.

VIII. Whom should I contact with questions? What resources are available?

• For questions about the GDPR in connection with your research, contact the Office of the Vice Provost for Research at OVPR@tufts.edu.
• General information about the GDPR may be found in Access Tufts at https://access.tufts.edu/gdpr.
• If you have received a rights request, whether verbally or in writing, by a research subject or other person seeking to exercise a right under the GDPR, send the information as soon as possible, and in any event within 24 hours, to dataprivacy@tufts.edu.
• If there may have been breach or unauthorized disclosure or use of personal information, contact the TTS Service Desk immediately by phone at 617 627-3376, available 24/7.
• Questions about the GDPR, other than in connection with research, may be submitted to dataprivacy@tufts.edu.
• Assistance with preparing strategies for data management is available from Tufts Technology Services Research Technology Services.
• With respect to securing data, information is available from Tufts Technology Services Office of Information Security, at it@tufts.edu
• For Data Management Plans: staff at the University’s libraries, including Tisch Library Data Management Services.

General Resources:

• The European Data Protection Board website: https://edpb.europa.eu/
• The full text of the GDPR: https://gdpr-info.eu/
• The EU GDPR Portal: https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en
• A “Compilation of Guidances on the EU GDPR” posted by the United States Office for Human Research Protections (OHRP) listing, by country, the data protection authorities of all EEA countries that fall under the GDPR.