Table 3 Selected key changes under the EU General Data Protection Regulation (GDPR)

Scope and definitions:

• Subject-matter: The GDPR applies to the processing of personal data from natural persons (Article 1), thus excluding anonymous data (Recital 26) and data from deceased persons (Recital 27), as the ‘95 Directive did.

• Special categories: Processing of data concerning health (Article 4(15)) and in the updated framework also genetic and biometric data (Article 4(13,14)) is in principle prohibited, unless one of the exceptions in Article 9(2) applies, e.g. when explicit consent has been provided (a) or when processing of sensitive data is necessary for scientific purposes (j) provided that safeguards are in place (Article 89(1)).

• Extended territorial scope: The GDPR applies to all processing of personal data of EU citizens, whether it takes place in the EU or not (Article 3). Transfer of data to countries outside the EU may take place when the European Commission has evaluated the level of protection in the receiving country as adequate (Article 45), when appropriate safeguards have been provided (Article 46), or in case of specific derogations (Article 49).

Principles and conditions for data processing:

• Principles: The principles (Article 5) of data processing remain largely the same as those in the Directive: (a) lawfulness, fairness and transparency; (b) purpose limitation (note that secondary use of data for scientific purposes is presumed compatible with the original purpose (Recital 50)); (c) data minimisation; (d) accuracy; (e) storage limitation; (f) integrity and confidentiality. The principle of accountability (Article 5(2)), which holds that the data controller should be able to demonstrate compliance with the principles, has been added.

• Conditions for consent: Data subjects’ consent (Article 4(11)) has become bound by stronger conditions in the GDPR (Article 7). When consent is used as the legal basis for processing, it should be “clearly distinguishable” from other matters and presented in an accessible form using clear and plain language. The controller should be able to demonstrate that consent was given, and the data subject is free to withdraw at any time. In the context of data processing for scientific research, the law leaves room for broad consent (Recital 33).

Rights and responsibilities:

• Data subjects’ rights: The GDPR introduces the right to data portability (Article 20), which allows transmission of one’s data to another controller. Moreover, the GDPR enhances existing rights, namely the right to: receive transparent information (Articles 12–14); access data (Article 15); rectification (Article 16); erasure (‘right to be forgotten’) (Article 17); restriction of processing (Article 18); object (Article 21); not to be subject to automated decision taking, including profiling (Article 22). However, in the context of scientific research Member States may provide derogations from these rights if they would impair research (Article 89).

• Privacy by design: The idea of “data protection by design” is introduced to ensure risks are accounted for early through technical and organisational protective measures (Article 25). Processing of data for research purposes requires “appropriate safeguards” (Article 89(1)), although it is not specified what these should be.

• Data breaches: Data controllers are required to keep a detailed record of all processing activities (Article 30) and in particular of any data breaches, which should be reported to the competent authorities within 72 h and—in case of high risk—to the data subject without undue delay (Articles 33 and 34).

• Data protection impact assessment: For high risk processing of data (which includes processing of special categories of data, e.g. health data), the GDPR mandates performing a data protection impact assessment (DPIA) in order to ascertain the risks relating to data subjects’ rights (Article 35).

• Data protection officer: Research institutions are now required to install a data protection officer (DPO) who monitors compliance with the GDPR, provides advice on data processing, including the DPIA, and acts as the contact point for the supervisory authority (Articles 37–39).

• Penalties: Organisations that do not comply with the GDPR can be fined up to 4% of annual global turnover or 20 million EUR, whichever is greatest (Article 83(5)).