This series of Frequently Asked Questions (FAQs), developed for Tufts University researchers, focuses on the General Data Protection Regulation (the GDPR) and how it may apply to your research, whether it is human subject research or other research that may include any identifying information about natural persons. This guidance explains when research activities fall within the scope of the GDPR and describes its requirements.

A team from the Office of University Counsel, the Tufts Technology Services Office of Information Security, the Office of the Vice Provost for Research (OVPR), the Health Sciences IRB, and the Social, Behavioral and Educational IRB (SBER IRB) have collaborated to develop materials and procedures to facilitate researchers’ compliance with the GDPR. The OVPR and the Health Sciences IRB and the SBER IRB will be working with a newly established committee, the GDPR and Research Review Committee, to coordinate the review and approval of University research protocols in accordance with the GDPR’s requirements. IRB approval will not be provided for any University research study involving human subjects that is subject to the GDPR without confirmation of GDPR compliance from the GDPR and Research Review Committee.

Abbreviations and Definitions:

EU: The European Union is an economic and political union among 28 European countries.

EEA: The European Economic Area unites the 28 EU member states and the three EEA European Free Trade Association states (Iceland, Liechtenstein, and Norway) into an internal market governed by the same basic rules. See FAQ II(3).

EDPB: The European Data Protection Board was established by the General Data Protection Regulation (GDPR). As an independent European body, the EDPB contributes to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU’s data protection authorities. For more information, see the European Data Protection Board website: https://edpb.europa.eu/.

Health Sciences IRB: The Health Sciences Institutional Review Board for Tufts University and Tufts Medical Center.

HIPAA: The Health Insurance Portability and Accountability Act.

SBER IRB: Tufts University’s Social, Behavioral and Educational Institutional Review Board.

DPIA: A Data Protection Impact Assessment under the GDPR. See FAQ IV(9).

Processing: Processing data under the GDPR generally means to work with the information in any way, including collecting, storing, sharing, analyzing, or archiving the information. The GDPR defines “processing” as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.” (GDPR Article 4(2))

Frequently Asked Questions about the GDPR and Research

These FAQs are organized into the following sections based on these core questions:

1. What is the GDPR?
2. Will the GDPR apply to my research?
3. Are there changes I can make to my research protocols that will ensure GDPR does not apply to my research?
4. Are there changes I can make to my research protocols that will facilitate compliance with the GDPR?
5. If the GDPR applies to my research, what kinds of actions can I expect my research team will need to complete before our research may proceed?
6. What next steps do I need to take now?
7. Whom do I contact with my questions? What general resources are available?

I. What is the GDPR?

1. What is the purpose of the GDPR?

The General Data Protection Regulation (the GDPR or the Regulation) is a European law that expanded the privacy and security protections for individuals’ personal information. It regulates the collection, use, transfer, storing and other processing of personal information in three types of situations:

1. 1. When personal information is collected from individuals while they are in the European Economic Area (EEA) in connection with the offering of goods or services, including research;
   2. When an organization established in one of the countries in the EEA processes personal information; or
   3. When personal information is processed in connection with monitoring the behavior of individuals when they are in the EEA.

Examples of each of these types of activities that would result in the GDPR applying to research are provided under FAQ II(1) below.

The GDPR became effective on May 25, 2018.

2. I am based in the United States. Why might the GDPR affect my research?

The GDPR will very likely apply to your research if the research activities will:

• • be conducted in association with an established organization in the EEA,
  • involve personal information collected from any person while they are in the EEA,
  • involve monitoring the behavior of persons while they are in the EEA,
  • involve transferring personal information out of the EEA, or
  • involve the secondary use of data that was protected by the GDPR when initially collected.

3. What are the core principles of the GDPR?

The GDPR has the following six core principles:

1. 1. Lawfulness, fairness and transparency: Processing personal data shall be done “lawfully, fairly and in a transparent manner in relation to the data”
   2. Purpose limitation: Personal data shall be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.”
   3. Data minimization: Processing of personal data shall be done in a manner that is “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.”
   4. Accuracy: Personal data shall be “accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.”
   5. Storage limitation: Personal data shall be “kept in a form which permits identification of data subjects for no longer than is necessary.”
   6. Integrity and confidentiality: Personal data shall be “processed in a manner that ensures appropriate security of the personal ”  (GDPR Article 5(1)

4. Why is it important to comply with the GDPR?

Noncompliance with the GDPR could result in your research being terminated.

Failure to comply with the GDPR will put not only Tufts, but also your research, at risk for:

• • High fines
  • Regulatory orders requiring discontinuation of research activities
  • Violations of grant or other funding covenants, resulting in loss of funding
  • Reputational harm

The GDPR applies to academic institutions and other non-profit organizations, like Tufts.

Violations of the GDPR may result in fines of up to 20 million Euros or 4% of the organization’s entire prior financial year’s worldwide annual revenue.

The GDPR also permits individuals to file a legal claim for noncompliance.

The European Data Protection Board (EDPB) and independent supervisory authorities in each country enforce the Regulation.

5. Is it possible to apply for a waiver to the application of GDPR?

No. The GDPR does not provide a procedure to be exempted from its requirements. The governmental supervisory authorities will, however, answer questions about how to comply.

II. Will the GDPR apply to my Research?

1. In what situations will the GDPR apply to research? What kinds of connections to the EEA would cause the GDPR to apply to my research?

There are three types of situations that are subject to the GDPR.

1. Involving persons in the EEA.

If research activities collect personal information from individuals while they are in the EEA or involve personal information that was previously collected from persons while they were in the EEA, then the GDPR will apply to those activities. This scenario applies even if none of the organizations associated with the research are or were established in the EEA at the time of collection. Protection for the personal information must continue after the person leaves the EEA.

Examples:

• Actively recruiting research subjects while they are present in the EEA, even if the persons do not become research subjects.
• Collecting personal information from persons while they are present in the EEA, even if they are in the EEA briefly and later leave the EEA.
• Collecting personal information from research subjects about other persons while those persons are present in the EEA.

B. Involving an established organization in the EEA.

If your study will involve another organization that processes personal information as part of the research activities and that organization is established in the EEA, then the information is protected by the GDPR, even if the processing occurs outside the EEA. To process data under the GDPR generally means to work with the information in any way, including collecting, storing, sharing, analyzing, or archiving the information.

Examples of research involving an established organization:

• The collection of personal information in collaboration with an investigator at a university in the EEA.
• Collaboration with a company’s research operations in the EEA.
• Research sponsored by an organization in the EEA, even if the research subjects are not in the EEA.
• Research conducted using a data set previously collected by an established organization in the EEA, even if the data set is now stored outside the EEA.

C. Involving monitoring persons in the EEA.

If a person is present in the EEA, any personal information collected from them as a result of monitoring their behavior within the EEA will be subject to the GDPR.

Examples:

• Tracking the movements of research subjects while they are in the EEA.
• Video observations of persons in the EEA in public spaces.
• Collecting data on the purchasing or consumption behavior of persons while they are in the EEA.

2. My study will collect information using an online survey. Will the GDPR apply?

Maybe, if the survey may be accessed by persons while they are in the EEA. One alternative is to block IP addresses from the EEA. Another option to reduce the likelihood the GDPR will apply is to avoid promotion of the survey or the study in any way in the EEA.

3. In what countries does the GDPR apply?

The GDPR applies to all member countries of the European Union (EU), as well as countries in the EEA. The Regulation applies now and, after Brexit, will continue to apply, to the UK. Switzerland, which is not a member of the EEA, is expected to adopt a similar law, so it has been included here.

GDPR Countries

Austria	Finland	Lithuania	Slovenia
Belgium	France	Luxembourg	Spain
Bulgaria	Germany	Malta	Sweden
Croatia	Greece	Netherlands	United Kingdom
Cyprus	Hungary	Poland	Iceland
Czech Republic	Ireland	Portugal	Liechtenstein
Denmark	Italy	Romania	Norway
Estonia	Latvia	Slovakia	Switzerland

 

4. What personal information does the GDPR regulate?

GDPR personal data includes any information that identifies or could identify a person.

Personal data protected by the GDPR is much broader than Personal Health Information protected by HIPAA or other types of personal information protected in the United States, such as Social Security numbers and financial account numbers.

The list below includes examples of personal data. This is not a complete list.

• Name
• Email address
• Phone number
• Social Security numbers and other identification numbers
• Location data
• User names
• Online identifiers
• IP addresses
• Online cookie data
• Images
• Voice
• Distinctive body markings
• Content generated by the individual
• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Physical or mental health information
• Sex life and sexual orientation
• Genetic and biometric data

A name alone is personal data.

It is not necessary to have a name associated with the information. If the information, taken in the aggregate, could be used to identify a person, it is personal data protected by the GDPR.

5.  My research involves animals; none of the research subjects are persons. Will the GDPR apply?

If your research will collect or otherwise include personal information of persons, then the GDPR will very likely apply. For example, if your research will collect the contact or other identifying information of the animals’ owners, then that personal information will be protected by the GDPR. GDPR protection extends beyond the immediate subjects of the research to third parties.

6. If our research will only involve information that is publicly available, will the GDPR apply?

Generally, personal information is protected even if it has been otherwise publicly disclosed. The GDPR provides protection not only for maintaining privacy, but also for how personal information is used.

7. If our research will involve de-identified data, will the GDPR apply?

Anonymized information is not personal data under the GDPR.

The GDPR does not include guidance on what practices to follow to sufficiently anonymize personal information to remove the data from regulation under the GDPR.

HIPAA de-identified information will be considered pseudonymized personal data under the GDPR, not anonymized. So long as a key exists to re-identify information, even if the key is sequestered from the research team, the information will not qualify as anonymized.

Under the Regulation, anonymous information neither identifies an individual nor makes it possible to identify an individual.

To discuss anonymizing information, contact the IRB staff for your research, at either the Health Sciences IRB or the SBER IRB.

8. To which persons does the GDPR apply? Does the GDPR only apply to EEA citizens and residents?

The GDPR applies to all persons located in the EEA. There is no requirement that a person be an EEA citizen or an EEA resident.

On the other hand, the GDPR does not apply to EEA citizens while they are located outside of the EEA and participate in research studies, provided, none of the organizations associated with the research study are established in the EEA and the personal information is not transferred into the EEA.

9. Our research team will be contracting with translators and other third-party service providers. Will the GDPR apply to those persons?

The contact and other limited personal information your research team will need for those persons will not be in scope for the GDPR, unless the research is conducted in connection with a Tufts establishment in the EEA.

10. Does the GDPR have any requirements for research involving children?

Yes. There are special protections for children under the age of 18. If your study includes minors, contact the IRB staff for your research, at either the Health Sciences IRB or the SBER IRB.

11. Does the GDPR apply to the personal information of deceased persons?

No, it does not. However, your study may still need to comply with other regulations in each country.

12. Our research team will be working with a research team from a European organization that controls the research. Will the GDPR apply to our work?

Yes. You will need a contract with the European organization that addresses the GDPR’s requirements and the other obligations each party has. Contact Pre-Award Staff or the IRB staff for your research, at either the Health Sciences IRB or the SBER IRB.

13. My research does not involve collecting new personal information. We will be working with an existing data set. Will the GDPR apply?

If the information will be fully anonymized before your team receives it, then the GDPR will not apply. See FAQ II(7).

If the information will not be anonymized, then the GDPR will very likely apply if the data set includes information that was:

• collected by an established organization in the EEA
• collected from any person while they were in the EEA, or
• transferred out of the EEA.

See FAQ II(1).

The GDPR analysis will consider whether the original procedures followed are sufficient to meet the compliance obligations for the new use of the information.

The data set may also continue to be subject to terms and conditions that were established when the data was first collected. You should contact the IRB staff for your research, at either the Health Sciences IRB or the SBER IRB, for assistance with reviewing those obligations.

14. My current research began before May 25, 2018, when the GDPR became effective. Must my research comply with the GDPR?

Yes. The GDPR applies to research that is currently processing EEA personal information collected before the GDPR became effective. Considerations will include whether additional notices and new consents are required, whether anonymization or pseudonymization can be employed, and whether appropriate handling and other safeguards are in place.

15. My new research will involve personal data collected in the EEA before the GDPR’s effective date of May 25, 2018. Will the GDPR apply?

The GDPR provisions apply to processing of personal information regardless of when the data was originally collected. Many of the GDPR’s requirements continue analogous obligations under the EU’s prior privacy law, the EU Directive 95/46/EC.

III.  Are there changes I can make to my research protocols that will ensure the GDPR does not apply to my study?

1.  Could the study’s objectives be met without including personal information from the EEA? Is the inclusion of personal information from the EEA expected to be incidental?

If you expect that personal information from EEA countries could be excluded from the study without a negative impact, then consider including measures in the protocol to exclude that information and, by doing so, ensuring the GDPR does not apply to your study.

Examples:

• For studies that will collect information using an online survey, access to the survey might be blocked for persons in the EEA by blocking IP addresses from the EEA.
• For studies that will collect information by phone, the callers would always call from outside the EEA and ask where the person is located.
• If contact with research subjects is to be made by mail, then all addresses that are in the EEA would be removed.

If you are interested in discussing this approach, including methods to avoid collection of personal information from an EEA country, please contact the IRB staff for your research, at either the Health Sciences IRB or the SBER IRB.

2. Could all the EEA personal data the study collects or otherwise processes be anonymized?

Anonymizing the EEA personal data under the GDPR can be difficult. See FAQ II(6) above. But if your study can be structured to only collect and use anonymized information in every stage of the study, then you will not be required to comply with the GDPR’s restrictions.

If anonymization is accomplished later in the study, the Regulation will apply until the anonymization has been effected, but will not apply afterward to the anonymized data.

If the personal information to be processed has already been collected as part of an earlier study, or will be collected separately from your study, then you could consider requiring anonymization before you receive the data.

If you can have a third party anonymize the data in the EEA and only transfer the anonymized data to the United States, any effort to comply with the GDPR would be much simpler.

Contact the IRB staff for your research, at either the Health Sciences IRB or the SBER IRB to discuss anonymization methods.

IV. Are there changes I can make to my research protocols that will facilitate compliance with the GDPR?

Consider incorporating these recommendations in your study’s protocols to lessen the impact of the GDPR’s administrative requirements, while continuing to meet your study’s objectives.

1. Minimize the personal information collected and processed.

Data minimization is one of the core principles of the GDPR. See FAQ I(3).

Consider the range of information your study will be collecting. Are all types of information necessary to meet the study’s purposes? Are the categories of personal information, and the specific data items, tailored to the study’s focus? The fewer types of personal information collected, the less risk there will be to the data subjects’ privacy, and the less risk there will be of noncompliance.

2. When possible, don’t collect sensitive information.

The GDPR includes more stringent protections for the following “special categories” of personal data:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Physical or mental health information
• Sex life and sexual orientation
• Genetic and biometric data

If you eliminate these types of information from your study, you will reduce the level of scrutiny the GDPR will require for your research.

3. Do not collect information about criminal offenses or convictions.

The GDPR’s restrictions for criminal offense or conviction information are very strict. The GDPR states that this information may only be collected and processed if the research is under the control of an official authority of an EEA country or if the processing is authorized by Union or Member State law.

If your research will involve criminal offense or conviction information, contact the IRB staff for your research, at either the Health Sciences IRB or the SBER IRB.

4. If anonymization is not possible, pseudonymize the personal information whenever feasible.

The GDPR encourages the practice of reducing the identifiability of personal information by using pseudonymization as a safeguard for data subjects. Under the GDPR, data is pseudonymized if

• The information cannot be attributed to a specific individual without the use of additional information (i.e. a “key”)
• The key is kept separately from the data set
• Access to and use of the key is protected by technical and administrative measures. The key must be kept separately, but designated, authorized persons within the research team may have access.

The GDPR’s requirements are less restrictive if personal information is pseudonymized. For example, some of the rights data subjects otherwise have (see FAQ IV(10) below) will not apply.

Contact the IRB staff for your research, at either the Health Sciences IRB or the SBER IRB, to discuss how to pseudonymize the data.

5. If consistent with your study’s objectives, consider excluding minors as data subjects.

The GDPR permits the processing of personal information of minors. It imposes a requirement that the informational notice and any consent for minors be adapted to their level of understanding. The inclusion of minors should be factored in to the weighing of the subjects’ privacy rights against the research study’s requirements. We expect the level of scrutiny by supervisory authorities will be higher if minors were involved in the research.

6. Consider not transferring the data collected in the EEA out of the EEA.

The GDPR includes restrictions not only on processing personal data, but on transferring personal data out of the EEA. If your study will be able to be completed without transferring the personal information out of the EEA, or if anonymization can be accomplished before the transfer, then the study will not be subject to the GDPR transfer restrictions. See FAQs IV(7), V(3) and V(7) below. FAQ V(7) discusses how using some IT apps and tools may be considered as effecting a transfer out of the EEA.

7.  Collaborate with or engage an established organization in the EEA for your study.

When initially planning your study, consider whether collaborating with an EEA organization would be consistent with your study’s protocols and objectives. Including an EEA organization with experience in meeting the GDPR’s obligations will expedite the GDPR work. If the collaborator can anonymize the data before it is provided to your research team, then GDPR will not apply to your team’s work. Even if anonymization is not feasible, transfers back to the US may be facilitated when an EEA collaborator is included in the study.

8. When you select IT tools and applications for use by your study, consider whether they are already GDPR compliant.

All IT apps and tools provided by third parties that store personal information off site must be approved for use with EEA personal data. Likewise, all IT apps and tools that will enable any third party to access the personal data or that will involve other processing of the data by a third party, must be approved for use with EEA personal data. Examples include an app or tool that stores the information in the cloud or that requires transferring the data to the third party.

To meet the GDPR’s requirements, the app or tool’s provider must confirm in writing to Tufts that the provider and the app or tool are GDPR compliant.

Many of the University’s most commonly used apps and tools are approved for use with personal data regulated under the GDPR, but there are some Tufts provisioned apps and tools that are not yet approved. As part of the GDPR review of your study, the apps and tools you intend to use will be reviewed.

If you anticipate using an app or tool not currently licensed by Tufts on a university-wide basis for GDPR regulated data, it is especially important to contact dataprivacy@tufts.edu as soon as possible. Confirming GDPR compliance for a new vendor involves a security review and a signed, written addendum, which often requires considerable lead-time.

See also FAQ V(7).

9. Consider whether changes to your study will eliminate a requirement for a Data Protection Impact Assessment (DPIA).

If your study will use “new technologies,” that are likely to result in a “high risk” to individuals’ privacy rights and freedoms, then the GDPR will require a written, detailed Data Protection Impact Assessment (DPIA). A DPIA would document in writing the expected impact of the study’s particular methods for collecting and processing personal information on how that information, and therefore individuals’ rights, will be protected.

The GDPR does not explain what “new technologies” are. Given the purposes of the Regulation, technology that is not in widespread use and that has a unique or unexplored impact on individuals’ privacy should be evaluated.

DPIAs will be required in the case of any of the following:

• a systematic and extensive evaluation of personal aspects using automated processing, including profiling, when the evaluation is used to make decisions that significantly affect the individual, such as decisions that have legal effects for the individual;
• processing on a large scale of special categories of personal information (see FAQ IV(2));
• processing personal information relating to criminal convictions and offences (see FAQ IV(3)); or
• systematic monitoring of a publicly accessible area on a large

Each country’s supervisory authority may also publish a list of other circumstances when a DPIA will be required.

A DPIA must include:

• a systematic description of the processing operations and the purposes of the processing;
• an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
• an assessment of the risks to the rights and freedoms of data subjects; and
• the measures that will be used to address the risks to protect the personal information and to demonstrate compliance with the GDPR Regulation.

10. Anticipate how the exercise by research subjects of their special rights under the GDPR may impact your study.

Your study will need to provide a process for research subjects to exercise their rights under the GDPR. You should also evaluate what the impact of exercising those rights will be on the adequacy of the research data.

Their rights will include:

• Access and review. The right to be provided all the personal data the study has about them and to review it.
• The right to have any inaccuracies in their personal data corrected and, if the information is incomplete, completed.
• Erasure, right to be forgotten. The right to require that all of their personal data be deleted.
• The right to require that the processing of personal data be restricted or halted while the processing of the information is being contested.

The GDPR provides an exception to the right to be forgotten if exercise of the right is “likely to render impossible or seriously impair the achievement of the objectives of the research.” (GDPR Article 17(3)(d)) Likewise, each country’s supervisory authority may authorize an exception to each of the other rights listed above, if exercise of the right is “likely to render impossible or seriously impair the achievement of the objectives of the research.” (GDPR Article 89) Unfortunately, neither the EDPB nor the GDPR supervisory authorities have issued any concrete guidance on when exceptions will be permitted.

Information on how data subjects may exercise their GDPR rights may be found at https://www.tufts.edu/about/privacy.

11.  Allow time in your research development schedule for the GDPR analysis and for implementing the steps the GDPR will require.

An analysis under the GDPR will be tailored to the circumstances and particular protocols for your study. That analysis is likely to include several consultations, as well as additional requirements.

The analysis may also require obtaining guidance from external advisors from the countries to be involved in your study. While one of the GDPR’s goals was to make the protection of personal information in Europe more uniform across the different countries, the Regulation continues to permit each country to adopt its own regulations and laws. Some countries’ supervisory authorities have published or asserted interpretations of the GDPR that are stricter than what would be evident by reading the Regulation’s provisions alone.

Evaluating the impact of a particular European jurisdiction may require significant lead-time. For these reasons, it is recommended that you initiate the GDPR review as early in your research timeline as possible.

The approval of the Tufts University GDPR and Research Review Committee will be required before the IRB will be able to complete its review.

V.  If the GDPR applies to my research, what kinds of actions can I expect my research team will need to complete before our research may proceed?

1.  Provide GDPR informational notices for research subjects and other data subjects.

You must provide GDPR informational notices to prospective research subjects and to enrolled research subjects before any personal information is collected.

The notices must disclose what personal information will be collected, the purposes for which it will be used, whom it will be shared with, and how long it will be retained, as well as information about an individual’s rights under the GDPR and how to exercise them. These requirements may be met by supplementing other notices that will otherwise be provided to individuals.

2. Have a justification for processing information.

Your study must have a documented justification for processing EEA personal information that meets the GDPR’s requirements.

Should consent by the research subjects be used as the justification? In most cases, consent is not recommended for the GDPR compliance. It is important to distinguish between informed consent for purposes of research studies and consent for purposes of the GDPR. The EDPB has directed researchers conducting clinical research to not rely on consent as the basis for the GDPR compliance; a similar analysis would very likely apply to non-clinical research.

The GDPR also permits individuals to withdraw their consent at any time, for any reason. If a research subject withdraws their consent to processing of their personal information and if the information has not been anonymized, then it is very likely the research team would be required to extract the individual’s personal information from the research data set, stop all processing of that information (including any processing by collaborators), and destroy the information.

The requirements for a valid consent are significant. See FAQ V(5).

Relying on the GDPR’s Legitimate Interest Justification. In most cases, the recommendation will be to rely on the research being a fundamental part of the University’s “legitimate interest.” The GDPR notice template available from the IRB staff for University research, at either the Health Sciences IRB or the SBER IRB, rely on the legitimate interest justification. If “special category” data is included (see FAQ IV(2)), the GDPR also recognizes scientific research as an approved justification, provided appropriate safeguards are used. You will need to review the text of any notice you use and confirm its accuracy for your research.

Data subjects will still be able to object to processing done on the basis of a legitimate interest, but the risk the study will be required to cease processing the subject’s personal information will be less than if consent were relied upon as the justification.

Special Considerations for Clinical Trials. EDPB guidance for clinical trials requires distinct justifications for (i) processing of data for reliability and safety purposes, and (ii) processing done for other research purposes. For the first, the clinical trial may rely on the processing being necessary for compliance with a legal obligation, i.e. the laws and regulations applying to clinical trials. For the latter, the guidance generally recommends relying on the research being in the University’s legitimate interest.

3.  Have a justification for transferring personal information out of the EEA to the US or to another non-EEA country.

If personal information will be transferred out of the EEA, your study will be required to have a separate justification for that transfer. The US and most non-EEA countries do not meet the GDPR’s privacy requirements to be exempted from this requirement.

For example, if your research team will collect personal information in the United Kingdom, and then upload the personal information into a Tufts Box folder, which stores information in the US, your study will need to obtain consents to this exporting of the information out of the EEA before the transfer occurs. Other examples are using Qualtrics to collect survey data or storing data on a laptop and travelling with the laptop back to the US.

There are three alternatives to address the transfer requirement. They are, in order of preference:

• Include an EEA entity in the research protocols to act as a collaborator in the study. Enter into an agreement with the collaborator that includes “GDPR standard clauses.” The clauses are intended to protect the personal information and the research subjects’ GDPR rights.
• Anonymize the information before the information is transferred to the US or other non-exempt country.
• Obtain a consent to the transfer from each research subject. The research subject may withdraw the consent at any time for any reason.

It’s very important to understand that any consent to transfer will be separate and distinct from the informed consent required from research subjects for purposes of meeting ethical standards or research procedure requirements.

The requirements for a valid consent are discussed in FAQ V(5). Also see FAQ V(7), which discusses how using some IT apps and tools may be considered as effecting a transfer out of the EEA.

It is not clear what the effect will be if a research subject withdraws a consent to transferring their personal information out of the EEA. Your study should be prepared to delete the information in the US, even if the withdrawal of the consent is made after the information has been transferred to the US. The data could continue to be used in the EEA.

Transfers to the US are not different in principle from transfers to other non-exempt countries. However, as a matter of good practice, any country-based differences in the norms for how personal information is treated in research should be assessed when planning the study. Likewise, any transfers to a recipient that is not part of the educational sector should be risk-assessed as a matter of good practice.

4. For secondary uses of data sets, have a justification for processing and for transferring the personal information.

The GDPR has introduced new challenges to the secondary use of personal information related to or incorporated in research data collected in the EEA or otherwise subject to the Regulation. Secondary use of such personal data requires a justification under the GDPR, as will any transfer of the personal data out of the EEA. The provider of the data set should confirm the data was collected in compliance with the GDPR and that the anticipated use by your research team will also be permitted under the GDPR. The EDPB’s guidance for secondary use of personal data is limited. For secondary data processing, the IRB staff for your research, at either the Health Sciences IRB or the SBER IRB, will ask you for information so they are able to review compliance with the GDPR.

5. Requirements for valid consents, if obtaining a consent.

The GDPR requires that consent be:

• Freely given, that is, the individual has a realistic choice;
• Specific;
• Informed;
• Clear and unambiguous; and
• Affirmatively given. Pre-ticked boxes should not be used. For “special category” information (see FAQ IV(2)), we recommend obtaining a signature (electronic or hand-written) to meet a higher requirement of an “explicit” consent.

The EDPB takes a very strict view of the standard for a valid consent.

6. Establish a plan to handle and manage the research information securely.

EEA personal data must be protected from disclosure and unauthorized use (i.e., in keeping with the initial notice). Personal information may not be shared outside of the research team. Technical security protections, including encryption, should be employed. Pseudonymization is strongly recommended whenever possible.

All Tufts research studies subject to the GDPR are required to comply with Tufts’ GDPR Data Handling Guidelines. These are available from the IRB staff for your research, at either the Health Sciences IRB or the SBER IRB, or by emailing dataprivacy@tufts.edu.

Assistance with preparing strategies for data management is available from:

• Tufts Technology Services Research Technology Services
• With respect to securing data, Tufts Technology Services Office of Information Security, at it@tufts.edu
• For Data Management Plans: staff at the University’s libraries, including Tisch Library Data Management Services.

7.  Verify all IT apps and tools are GDPR compliant and use them in a manner that meets the GDPR’s requirements.

As part of the GDPR review, you will be asked to provide a list of all IT apps and tools that will be used in connection with the research activities. See FAQ IV(8). If the configuration of the app or tool provides for a third-party vendor to store the information, such as in the cloud, there must be documentation of the vendor’s GDPR compliance.

The GDPR’s requirements may also limit how your study uses an otherwise approved app or tool. Apps and tools that store data outside of the EEA, but are used by research subjects to submit data for a study, will generally be considered as effecting a transfer out of the EEA. Examples include Qualtrics and Box. It’s recommended that a consent to the “transfer” of that data out of the EEA be obtained either before the app or tool is used, or in the case of a survey tool, as the first action of the research subject.

8. If there will be any external collaborators, negotiate a collaboration agreement that includes assurances the collaborators will comply with the GDPR.

If your research will involve collaborating with other organizations, including universities, medical centers, pharmaceutical companies, and nonprofit policy centers, the terms of that relationship will need to be documented in a written agreement. That agreement must include a section allocating the compliance responsibilities and liability under the GDPR. Contact Pre-Award Staff for assistance.

9. Obtain written confirmation from all service providers that they will act in compliance with GDPR.

If your research study will use any external service providers, then you will need to obtain a commitment from them to comply with the GDPR. Examples include organizations that provide translation or enumeration services, as well as consultants.

10. Obtain the approval of the Tufts University GDPR and Research Review Committee as a condition of the IRB approval.

The Health Sciences IRB and the SBER IRB will be working with the Tufts University GDPR and Research Review Committee to coordinate the approval of research protocols. IRB approval will not be provided without the approval of the GDPR Committee.

11. Include training in the GDPR’s requirements for your research team in your study plan.

To facilitate your study’s research activities, your research team should be trained on how their actions will be impacted by the GDPR’s requirements.

12. If necessary, prepare a Data Protection Impact Assessment (DPIA).

See FAQ IV(9) above for when a DPIA is required and what is required to be included. Contact the IRB staff for your research, at either the Health Sciences IRB or the SBER IRB, for assistance with preparing a DPIA.

VI. If the GDPR applies to my research, what kinds of actions can I expect my research team will need to do while conducting our research?

1. Follow your study’s plans for managing the personal information securely.

Throughout the study, ensure that the EEA personal information is protected by following secure handling practices, including those in the data management plan developed for the research. Follow the practices identified in Tufts’ GDPR Data Handling Guidelines, available from the IRB staff for your research, at either the Health Sciences IRB or the SBER IRB, or by emailing dataprivacy@tufts.edu.

2. Enable subjects’ rights.

Your research team will need to be prepared to enable data subjects to exercise their EEA rights. Those rights may be exercised by a verbal request or in writing. See FAQ IV(10) above.

3. Give notice if a breach may have occurred.

The EEA governmental authorities must be notified within 72 hours of a security breach involving the EEA personal data. See the information below on whom to contact. Do not contact the EEA authorities directly.

Your research team should call the TTS Service Desk immediately in the event a breach is suspected. The TTS Service Desk may be reached 24/7 at 617 627-3376. The Data Privacy Team, working with TTS Information Security and the University Counsel’s office, and with the Office of the Vice Provost for Research, as needed, will evaluate the event and the necessary actions to be taken.

More information on security incidents is available at: Identifying and Reporting a Security Incident.

4. If your research team needs to make changes to your study’s protocol, an updated GDPR analysis may be required.

Significant changes to your study’s protocol may require an updated GDPR review. The following changes would generally not be considered sufficiently significant to require a renewed analysis of GDPR compliance:

• A change only in the individuals who are members of the research team, provided the change does not also involve a new EEA country for the study’s activities or other changes in the protocol;
• A small change in the number of research subjects; or
• Adding a new site in an EEA country that was included in the protocol when previously approved.

If your team will be proposing a significant change in the study’s protocols, the IRB staff will contact the Tufts University GDPR and Research Review Committee for an updated GDPR review. The Health Sciences IRB and the SBER IRB will not approve the change without the concurrence of the Tufts University GDPR and Research Review Committee.

VII. What next steps do I need to take now?

If your study will involve primary research, rather than the secondary use of a data set, please ask the staff at either the Health Sciences IRB or the SBER IRB for a GDPR University research questionnaire. By answering the questionnaire, you will provide the information needed to determine whether the GDPR applies to your research, as well as what actions will be required to comply with the GDPR.

If you are unsure whether GDPR will apply to your study, the questionnaire will lead you through a series of questions to help evaluate your study in the context of the GDPR. If it does not apply, you will only need to answer a few questions; by answering the questionnaire, you will have documented that GDPR does not apply.

If your research study will involve the secondary use of a data set, please contact the IRB staff for your research, at either the Health Sciences IRB or the SBER IRB.

VIII. Whom should I contact with questions? What resources are available?

• For questions about the GDPR in connection with your research, contact your Local Research Administrator or the IRB staff for your research, at either the Health Sciences IRB or the SBER IRB.
• General information about the GDPR may be found in Access Tufts at https://access.tufts.edu/gdpr.
• If you have received a rights request, whether verbally or in writing, by a research subject or other person seeking to exercise a right under the GDPR, send the information as soon as possible, and in any event within 24 hours, to dataprivacy@tufts.edu.
• If there may have been breach or unauthorized disclosure or use of personal information, contact the TTS Service Desk immediately by phone at 617 627-3376, available 24/7.
• Questions about the GDPR, other than in connection with research, may be submitted to dataprivacy@tufts.edu.
• Assistance with preparing strategies for data management is available from Tufts Technology Services Research Technology Services.
• With respect to securing data, information is available from Tufts Technology Services Office of Information Security, at it@tufts.edu
• For Data Management Plans: staff at the University’s libraries, including Tisch Library Data Management Services.

General Resources:

• The European Data Protection Board website: https://edpb.europa.eu/
• The full text of the GDPR: https://gdpr-info.eu/
• The EU GDPR Portal: https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en
• A “Compilation of Guidances on the EU GDPR” posted by the United States Office for Human Research Protections (OHRP) listing, by country, the data protection authorities of all EEA countries that fall under the GDPR.