We are creating a unified UKRI website that brings together the existing research council, Innovate UK and Research England websites.
If you would like to be involved in its development let us know.

Site search
Back to blog

GDPR: What researchers need to know

by Guest Author on 16 Apr 2018

The EU General Data Protection Regulation (GDPR) and new Data Protection Act come into force on 25 May. Both apply in the UK and will influence research involving personal data. So what’s changing and how should you, as a researcher, prepare? Sarah Dickson, Head of the MRC Regulatory Support Centre, is here to help.

What is GDPR?

The EU General Data Protection Regulation (GDPR), along with the new UK Data Protection Act, will govern the processing (holding or using) of personal data in the UK.

Although the new regulations haven’t been designed specifically for research, we’ll need to make some changes to research practice. The Information Commissioner’s Office (ICO) is the UK regulator. The Health Research Authority (HRA), in collaboration, is providing official guidance for people working in health and social care research. We‘re working with both organisations.

What counts as ‘personal data’?

This is data about living people from which they can be identified. As well as data containing obvious ‘identifiers’ – such as name and date of birth – this includes some genetic, biometric and online data if unique to an individual.

Data that has been pseudonymised (with identifiers separated), where the dataset and identifiers are held by the same organisation, is still personal data.

Data anonymised in line with the ICO ‘Anonymisation code of practice’ is not personal data. An example of this is when identifiers are held by another organisation with an agreement that specifies no re-identification. You should be aware that the action of ‘anonymisation’ counts as processing personal data. At the time of writing, the ICO is working to update the code to reflect GDPR requirements.

How will GDPR impact research?

The requirements largely mirror current good practice in research, so shouldn’t have a big impact on what you, as a researcher, already do. The new law demands that data processing is lawful, fair and transparent. Organisations that process personal data, or control its processing, are accountable for this, yet we all have a role to play.

How do I make sure my data processing for research is lawful?

All research organisations must specify a lawful basis for data processing. You, as a researcher, should know this basis because approvals bodies, like HRA and NHS Digital, will ask you to specify it.

The most likely lawful basis for publicly funded research in MRC institutes and universities will be ‘task in the public interest‘. This assures research participants that the organisation is credible and using their personal data for public good.

When processing special categories of data, like health data, you must meet an additional condition. The most likely condition will be that such processing is ‘necessary for scientific research in accordance with safeguards’.

Safeguards apply widely to research with personal data. They include obtaining Research Ethics Committee approval, only processing personal data that’s necessary (data minimisation) and anonymising or pseudonymising where possible. Everyone working with identifiable information should understand the importance of confidentiality and should hold data securely with an appropriate level of protection. Working to your employer’s codes of conduct, IT policies and technical standards will help here.

Consent is not a requirement of the new data protection laws. In research, we usually seek consent from people to participate. This is ethical, and needed for other legal reasons, for example if disclosing confidential information or if you’re running a drug trial. Consent to participate in research can also give participants control over how their data is used. However, ‘consent’, as defined by GDPR, is not likely to be the lawful basis for processing personal data for research purposes.

Since consent is not likely to be the lawful basis for processing, participants do not need to be re-consented every one or two years.

What do I need to do to be fair and transparent?

Being fair with research participants includes respecting their rights and ensuring that personal data is used in line with their expectations. Transparency is therefore intrinsically linked to fairness.

The new legislation sets out the information that should be provided to participants. This must be concise and easy to understand. Organisations should display corporate privacy information about research where people will notice it, for example links on website homepages and in waiting rooms.

Make your participants aware of this corporate privacy information using communication methods appropriate for your study population, for example links from participant information sheets or newsletters. You can provide further detail in department or project materials.

Work with your Data Protection Officer to ensure that the information you both provide to the public is relevant and understandable, including how data is used to support research. This should cover the fact that data is commonly linked with other data sources, kept for a long time and reused to address important research questions.

Where you have contact with participants, meeting transparency requirements is relatively straightforward. But if you have no contact with participants, the requirements are less clear. We’re working on this with the ICO.

Who’s responsible?

Organisations are accountable to the ICO, so don’t make decisions about legal compliance alone. Find out which organisation is the data controller for your research: this might be the organisation you work for or the sponsor of your project. You may even have more than one controller. Talk to your Data Protection Officer, research governance managers in your University’s Sponsor’s office, or to your data support services.

This is particularly important if a research participant asks you about their personal data rights, for example if they ask to withdraw from your study. Data Protection Officers are responsible for managing requests about rights and will know how to apply the exemptions that are available to research.

There are specific requirements for international research when transferring personal data to non-EU countries. If this applies, seek advice from your Data Protection Officer.

These ICO key definitions are useful.

For more information, visit the GPDR webpages, watch the below video or contact the MRC Regulatory Support Centre.


In this regulation researchers Data, Resume and CV will be available and accepted in cases of demands by uploading specific files instead of manual or email applications.

author avatar by Prof. Chukwuemeka Chucks Agbakwuru on 17-May-2018 13:36

I am obliged for this wonderful and informative blog about GDPR. It has all descriptive information I was looking for. It is helpful for my research studies as I am preparing for Clinical Research fellowship, it is beneficial for me.Thank you once again.keep sharing such informative blogs

author avatar by Clinical research on 02-Jan-2019 07:00

How does this apply to telephone interviews?

author avatar by Tracy on 28-Jun-2019 16:59

Replying to Tracy

Dear Tracy,
It would be good to have a bit more information in order to provide a useful answer. The short answer is that you’ll have to comply with GDPR if you’re collecting personal data and the Privacy and Electronic Communications Regulations may also apply. We will contact you directly by email in case you require more information.
All the best,
Heather Coupar, Programme Manager, MRC Regulatory Support Centre

author avatar by Isabel Harding on 05-Jul-2019 11:53

I’d like to use email addresses published on the websites of accountancy firms to invite them to participate in a quantitative study as part of University research that has received ethics approval. I understand that GDPR doesn’t prevent me from contacting accountants that operate under a company or LLP, but I was wondering whether you know if it prevents me from from contacting those that operate as sole traders? Your help is much appreciated!

author avatar by Sophie on 01-Nov-2019 11:59

Replying to Sophie

Dear Sophie,
The short answer is that you should be able manage compliance with GDPR. However, there could be potential issues in terms of the common law (confidentiality) and the Privacy and Electronic Communications Regulations. In order to better advise it would be easier to discuss what you intend to do over the phone. If this would be of interest then please don’t hesitate to get back in touch at info@rsc.mrc.ac.uk
All the best,
Heather Coupar, Programme Manager, MRC Regulatory Support Centre

author avatar by petra kiviniemi on 09-Dec-2019 15:27

what are the recommendations regarding data transfer from the NHS to a research database. Should a contract be put in place to govern the data processing and transfer? These studies do not need R&D approval and so do not use the OID etc. In the past no contracts were in place but I am wondering if there should be now.

author avatar by Susan on 11-Dec-2019 16:16

Leave a reply

You may use basic HTML in your comments. Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.


From category

Share this: