GDPR Consent Guide

The European Union has additional requirements regarding data privacy, referred to as the General Data Protection Regulation (“EU GDPR” or "GDPR"). If you are working with personal data collected in, or transferred from, any European Economic Area country, GDPR will be relevant. This includes data collected, obtained, or used for research projects. Failure to follow GDPR if it applies constitutes non-compliance.

GDPR requires a legal basis to collect and process (e.g., analyze) personal data. In order to use personal data for research, the legal basis that generally will apply is consent from the data subject.

Consent must be freely given, specific, informed, and unambiguous as to the data subject’s wishes by a statement or by a clear affirmative action:

Freely given means the individual must have a realistic choice, or the realistic ability to refuse or withdraw consent. Individuals in a position of authority cannot obtain consent, nor can consent be coerced.

Specific means the consent must be explicit and transparent and contain the following information:

    • Identity of the Principal Investigator
    • Purpose of the data collection
    • Types of data collected including listing of any special categories of data. This includes information about a data subject’s health, genetics, race or ethnic origin, bio-metrics for identification purposes, sex life or sexual orientation, political opinions, religious or philosophical beliefs, or trade union membership
    • The right to withdraw from the research and the mechanism for withdrawal
    • Identify who will have access to the data
    • Time period for which data will be stored (can be indefinite)
    • Information regarding data security, including storage and transfer of data
    • Information regarding automated process of data for decision making about the individual, including profiling
    • Whether and under what conditions data may be used for future research, either related or unrelated to the purpose of the current study

Informed means that subjects are made aware of the risks, how their data will be safeguarded, their rights in relation to the research (as described below), and how to exercise those rights.

Unambiguous means consent is given through a statement or clear affirmative action.

    • This may be by a written or oral statement or other affirmative act demonstrating consent. For instance, checking a box can indicate consent, while silence or pre-ticked boxes that require unchecking (opting out) cannot.
    • Investigators should be able to demonstrate that a particular subject consented to the research. Consent records, including time and date of consent, must be maintained for each data subject.
    • If the consent form serves multiple purposes, the request for consent must be clearly distinguishable within the document.
    • The IRB cannot waive informed consent under GDPR.

Additionally, there are certain rights that data subjects have:

  • The right of access to their data
  • The right to request corrections to their data
  • The right to withdraw and to request erasure of their data. In this case, data may be retained only if it is anonymized or if another legal basis exists to retain the data. This may include:
    • The need to protect scientific research if deletion would render impossible or seriously impair the research objectives; or
    • The need to protect the public health by ensuring the accuracy and quality of data related to medical care or to investigational drugs and devices
    • The right to request transfer of their personal information to a third party (such as a personal physician) in a format suitable for re-use

Click here for the templates: LSU GDPR Consent for Participants, LSU GDPR Consent for Co-Investigators