International Research Guildelines

European Union General Data Protection Regulations (GDPR)

The European Union General Data Protection Regulations (GDPR) went into effect May 25, 2018. This regulation provides privacy and security protections for personal data collected in the European Union (EU). Researchers conducting human subjects research in the EU, including collecting information or data from anyone who is in the EU, may be impacted by the GDPR and may need to meet the GDPR requirements.

The Office for Human Research Protections of the U.S. Department of Health and Human Services has developed a Compilation of Guidances on the EU General Data Protection Directive.

This law governs the collection of personal data from people located in a European Union country. The GDPR applies to university human subjects research that involves the collection or processing of personal data from individuals located in the EU, regardless of their citizenship or residency. Personal data includes such information as name, address, IP address and other online identifiers, health information, race, ethnicity, religion or philosophical beliefs, and sexual orientation. The collection of certain categories of personal data requires affirmative consent from the subject.

The GDPR requires a lawful basis for collecting and processing personal data. For most human subjects research, that basis is consent. Research that does not collect personal data from individuals located in the EU is not subject to the GDPR. Care must be taken if research involves the collection of de-identified personal data. Data is considered de-identified if there is no reasonable way for someone with access to the data to re-identify an individual. In contrast to U.S. regulations, coded or psuedonymised data is not considered de-identified in the context of the GDPR, even if you do not have access to the code.

For research subject to the GDPR, consent must include elements that comply with both the GDPR and the Common Rule. The GDPR specifies that consent must be freely given, specific, informed, and unambiguous. Additionally, each subject must be advised that they may withdraw their consent at any time and the withdrawal of consent must be as easy as giving consent. Consent forms must contain the following information:

  • Identity of the Principal Investigator;
  • The purpose of data collection;
  • The types of data collected, including a list of any special categories:
    • Racial or ethnic origin;
    • Political opinions;
    • Religious or philosophical beliefs;
    • Trade union membership;
    • Processing of genetic data;
    • Biometric data for the purposes of unique identification;
    • Health data; and/or
    • Sexual orientation or sex life information;
  • The right to withdraw from the research and the method for withdrawal;
  • Who will have access to the data;
  • Information regarding automated processing of data for decision making about the individual, including profiling;
  • Information regarding data security, including storage and transfer of data;
  • How long data will be stored;
  • Whether and under what conditions data may be used for future research, either related or unrelated to the purpose of the current study.

Note: Since these regulatory requirements are new, the above information is subject to change and will be updated as we receive formal guidance and best practices.

Compilation of International Policies Provided by the Office of Human Research Protections (OHRP)

The International Compilation of Human Subject Research Protections is prepared by the Office for Human Research Protections (OHRP) of the U.S. Department of Health and Human Services. The Compilation, which is updated annually, is a listing of more than 1,000 laws, regulations, and guidelines on human subjects protections in 101 countries and from several international organizations. It is designed for use by IRBs, researchers, sponsors, and others involved in human subjects research around the world.

The Compilation includes laws, regulations and guidelines which are classified into six (6) categories: General, Drugs and Devices, Privacy/Data Protections, Human Biological Materials, Genetic Issues, Embryos, Stem Cells, and Cloning. In addition, standards regarding Device Research which were identified in more than 40 countries are also included.

Although the Compilation contains information of a legal nature, it was developed for informational purposes only. The Office of Human Research Protections (OHRP) reminds investigators who are about to engage in research outside the United States that the information provided does not constitute legal advice or opinions as to the current operative laws, regulations, or guidelines of any jurisdiction.

In addition, because new laws, regulations, and guidelines are issued on a continuing basis, this Compilation is not an exhaustive source of all current applicable laws, regulations, and guidelines relating to international human subject research protections. While reasonable efforts have been made to assure the accuracy and completeness of the information provided, researchers and other individuals should check with local authorities and/or research ethics committees before starting research activities.