On 25 May 2018 the General Data Protection Regulation (GDPR) comes into force and all processing of personal data taking place on or after that date must be compliant with it. Below is part 1 of a report authored by Veale Wasbrough Vizards (VWV) in partnership with the CDRC on how GDPR will impact upon social science research.
The General Data Protection Regulation & Social Science Research
The information contained in this guidance is intended for CDRC Stakeholders – researchers making use of consumer-related datasets as part of their participation in the Consumer Data Research Centre and CDRC Data Partners both current and potential. This guidance does not contain any legal advice and no liability is assumed for any loss, damage or inconvenience arising as a consequence of any use or the inability to use any information contained in it. The legal position in a given situation is always dependent on the specific facts and circumstances.
The General Data Protection Regulation (GDPR) comes into force on 25 May 2018, and all processing of personal data taking place on or after that date must be compliant with its provisions.
The GDPR will supersede the Data Protection Act 1998 (DPA) as the legal regime that governs the processing of personal data in the UK. The GPDR brings a number of changes to data protection law including, notably, a new wider definition of “personal data”.
This guidance contains (1) a glossary of key terms under the GDPR; (2) a summary of the key principles of the GDPR and (3) Frequently Asked Questions for researchers.
Glossary of Key GDPR Terms
These terms are highlighted in bold in the summary and FAQs.
|Anonymisation||The process of rendering data into a form which does not identify individuals and where identification is not likely to take place. Where anonymisation is carried out effectively, neither the production nor the publication of the anonymised data will have any effect on any particular individual.
|Data Subject||A living individual who is the subject of personal data.|
|Data Controller||A person who (either alone or jointly) determines the purposes for which and the manner in which any personal data are or are not to be processed. They are usually organisations but can also be individuals, for example self-employed consultants.|
|Data Processor||Any person (other than an employee of the data controller) who processes the data on behalf of the data controller.|
|Lawful Basis (for Processing)||Organisations must have a lawful basis for processing personal data. The lawful bases include: consent; legitimate interests; necessary for the performance of a contract, necessary to comply with a legal obligation, necessary to protect the individual’s vital interests, or a task carried out in the public interest. Note that there are additional conditions which must be met to establish a lawful basis for processing “special category personal data” (see definition below).|
|Legal Basis||Beware of this term which does not have a clear meaning in the GDPR. The preferred interpretation is that it refers to a law of either the European Union or the UK that permits a particular kind of processing activity in principle – usually subject to conditions. Even where such a law exists and is relevant, the data controller must still have a lawful basis for that processing.|
|Marketing||This covers any advertising or marketing material not just commercial marketing. Promotional material, including promoting the aims of not for profit organisations is covered.|
|Multi-level authentication||Multi-level authentication is where a user has to input multiple pieces of evidence before being granted access. For example, a username and a password. More secure systems also require a generated piece of evidence, such as the number provided by a digital secure key which is commonly used for online banking.|
|ICO||The Information Commissioner which is the supervisory authority for data protection in the United Kingdom.|
|Personal Data/ Personal Information||Any information relating to a living person who can be directly or indirectly identified in particular by reference to an identifier. This includes names, email addresses, identification number, mac addresses, location data or online identifiers.|
|Processing||This means obtaining, recording or holding the personal information or carrying out any operation or set of operations on the information. This includes organising, adapting or altering the information, as well as disclosing and deleting information.|
|Profiling||This is the use of personal data to evaluate personal aspects relating to an individual, for example to build up a picture of their consumer habits.|
|Pseudonymised Data||The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information and that additional information must be kept separately and subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable person.|
|Sensitive Personal Data/ Special Category Personal Data||This includes information relating to a Data Subject’s: racial or ethnic origin; political opinions; religious beliefs; trade union membership; health data; sexual life; genetic data; biometric data and criminal offences.|
|Safeguarding Conditions||Arrangements in relation to processing that is necessary for a research or statistical purpose which ensure that the processing is:
a) not likely to cause substantial damage or substantial distress to the data subject; and
b) not carried out for the purpose of measures or decisions with respect to the data subject (unless it is for the purpose of approved medical research).
|Transparency Notice||A document (hardcopy or electronic), which may be made up of several smaller documents that will explain to individuals what personal information about them the Data Controller collects and how it will use it.|