The General Data Protection Regulation (GDPR) comes into effect on the 25th of May 2018 across the European Union (EU). This law was designed to strengthen the protection of virtually all types of online data across all platforms, giving EU residents greater control over what businesses and organisations can and cannot do with their information. In Part I, we discussed the details of the GDPR and how this could change the general online landscape. In Part II, we examined how stronger data protection laws will affect social media. In Part III, we will analyse how the GDPR will impact the Australian health, medical and scientific community.
What are its implications on the Australian health and scientific community?
The health, medical and scientific community is a global, intensely interconnected and collaborative space. There is no doubt that the GDPR laws will reverberate across the world, impacting the way scientific research is conducted and how organisations and businesses manage their stakeholders and their identities online.
Research data and collaboration
Research holds a unique position within the legal framework of the GDPR. Institutes and organisations that use personal data and medical records as part of their research may be exempt from certain restrictions, on the proviso that appropriate measures to protect data and to minimise the amount of data that is recorded and processed are put into place. Overall, the burden of data processing and protection will increase under the GPDR.
For the most part, these measures will also extend to the transfer of personal data to countries outside of the EU, meaning organisations receiving this data will also have similar protections in place. While these changes will impact European research institutes, organisations and businesses the most, considering the global and deeply collaborative nature of science, the GDPR will surely affect how all research is conducted, whether it is basic science research, clinical trials or the translation and commercialisation of research.
On the other hand, the GDPR does attempt to foster efficiency with changes to certain areas that can often be hampered by, sometimes unnecessary, bureaucracy. For example, EU citizens may not be able to request the erasure of personal data that has been used in research, while the purpose of research may provide organisations with a legitimate basis to process personal data without an individual’s consent. Similarly, research organisations may be able to use personal data outside the purposes for which they were initially collected. This exemplifies the GDPR’s attempt to balance conservative protection with boundary-pushing innovation.
However, the definition of ‘research’ in the GDPR is diffuse and facilitates a breadth in its scope. While this ensures that research projects are not left behind, it also may leave room for the exploitation of loopholes. Could data mining and analytics endeavours undertaken by organisations, such as the recent controversial actions of private firm Cambridge Analytica, be defined as ‘research?’ This remains an area of concern and in need of further refinement from the lawmakers in the EU.
Managing online communities
The GDPR will also affect how research organisations and businesses manage their global reach with stakeholders online, particularly in regard to social media and newsletters. As discussed in Part II of this blog series, the GDPR will have implications on how user-generated content (UGC) can be repurposed by organisations and businesses. This necessitates the exercise of greater caution when it comes to re-posting content, particularly photos or images, whether it be of themselves in the research environment to any exciting results from an experiment, created by staff or students on official social media channels. While it is highly unlikely that scientists will post fully annotated results and figures on social media platforms, the GDPR will align with current copyright law in publishing, whereby any reproduction of graphs or images can only be done so with the permission of a publication’s authors.
Furthermore, many research institutes keep interested stakeholders informed with newsletters sent via email. With a shift towards an opt-in model, as mentioned in Part I of this blog series, the GDPR may require organisations to revisit email databases to affirm subscriptions. While not a seismic change, it’s the type of painstaking, messy and laborious work that is often neglected or ignored. Also, email address mining of EU residents for newsletter databases will no longer be an acceptable practice, impacting how effectively organisations can build their online audience, with downstream effects on expanding organisation profiles, highlighting research impact, organising conferences and meetings, and even philanthropic missions.
The GDPR and the impact on the innovation, health and scientific community
With big data, bioinformatics and the exponential increase in computer processing capabilities emerging as major players in many fields of scientific research, data privacy and protection have become hot topics of discussion. Not only will the GDPR change how research organisations and related businesses, both inside and outside the EU, work on an operational level, it will also modulate digital communication strategies and protocols. The best way to prepare for these changes is to be informed and to begin complying with this new law before the changes come into effect on the 25th of May 2018.