You may have noticed increasing mentions of GDPR lately. The General Data Protection Regulation is the new EU-wide Regulation that will replace the UK Data Protection Act. It’s something we have been reading up on as part of our work supporting researchers in managing their data, and came across an editorial by Dr Marc Cornock, Senior Lecturer in Health at the OU, which neatly summarises GDPR and its implications for research.
We thought Marc’s piece well worth sharing and invited him to be a guest blogger, to talk about GDPR and link to his editorial. Look out for further information here on GDPR over the next couple of months, but now, over to Marc…
In less than 3 months on 25th May 2018, the General Data Protection Regulation (GDPR) 2016/679/EU comes into force. This is a major piece of legislative reform for 2 reasons: firstly it is the biggest change in data protection law and the rules surrounding the use, storage and dissemination of personal data in over twenty years; and secondly, the actual legislation itself is huge. The Regulation runs to 11 Chapters, 99 Articles and 173 Recitals. A Recital sets out the reasoning within a specific Article or clarifies as aspect of the Regulation.
The GDPR aims to harmonise data protection and privacy laws across all member states of the European Union. Although the United Kingdom has set out its desire to leave the European Union through the Brexit process; at the point at which the GDPR comes into force the United Kingdom will still be a part of the European Union, and as Regulations of the European Union are directly applicable in all member states without the need for further legislation, the GDPR will become law in the United Kingdom as well as the rest of the European Union.
The United Kingdom is making provision for the continued effect of the GDPR after Brexit through the introduction of the Data Protection Bill 2017, which is currently going through Parliament.
One headline fact that has been mentioned numerously is the size of the fine that can be applied for a breach of the GDPR principles. Article 83 provides for fines of €20 Million or 4% of the annual worldwide turnover of an organization, whichever is higher, for a serious breach. This figure is enough to concentrate the mind and because of its importance, and its size and complexity, a lot of people are worried about the implementation of the GDPR and their preparedness for it.
At The Open University, various individuals and departments have been working on the implementation of the GDPR for some time and ensuring that all OU processes are compliant with the Regulation. Because of the issues around Brexit, the Information Commissioner’s Office does not presently have a definitive guide to the GDPR but rather has a living document that provides guidance as it is available. This does mean that organisations are not expected to have every procedure and process in place on 25th May 2018; rather they need to be able to demonstrate that they are working toward it.
The GDPR will affect research and individual researchers. For some of the issues affecting researchers I would direct you to my recent editorial in Maturitas available at: https://doi.org/10.1016/j.maturitas.2018.01.017