Processing of data statement

The General Data Protection Regulation (GDPR) came into force on 25 May 2018.

What does the new legislation mean for health and social care research, where the use of personal data is often crucial?

The new legislation brings increased expectations of organisations processing personal data. Organisations need to be lawful, fair and transparent when processing or controlling the processing of personal data. However, the new legislation does not impede research. It reflects current good practice in research, through the safeguards that apply to all research using personal data. If your organisation is already using good practice under current data protection legislation, you will need to make relatively few changes to your policies and practices.

Some aspects of the new legislation do not apply to research. For example, data can be stored for research for long periods of time, and it is recognised that personal data collected for any initial purpose can be used for research. There are also exemptions to some rights in a research context. However, the rights cannot simply be ignored. Research organisations must have other specific safeguards in place before using research exemptions.