General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR) What is GDPR? GDPR is a European law which went into effect on May 25, 2018 Governs the type of notice that must be provided to people regarding how their identifiable data is used Governs how companies are allowed to use and process identifiable data Has stricter requirements for using sensitive data #2019ResearchExpo

To Whom Does GDPR Apply? Those who offer goods or services to persons in the EU/EEA European Economic Area (EEA) = European Union (EU) + Iceland, Liechtenstein, Norway, & UK Those who control and process data about persons in the EU/EEA Personal Data = any information that can identify a person Sensitive Data = race/ethnicity, political opinions, religious/philosophical beliefs, union membership, genetic data, biometric data, health data, data concerning a persons sex life or sexual orientation.

#2019ResearchExpo Who Are Controllers and Processors? Controllers specify the means and purpose of the data processing Example: Industry Sponsor, PI of Investigator-Initiated research Processors conduct the processing under the direction of the controller Clinical Research Coordinators, Database Administrators, PI of IndustrySponsored research #2019ResearchExpo

What is Data Processing? Processing of data involves any and all of the following: Adapting Altering Collecting Combining Consulting

Destroying Disclosing #2019ResearchExpo

Erasing Organizing Recording Retrieving Storing Structuring Using What is Needed to Process Data? A lawful basis for doing so A lawful basis can be:

When required for a contract When required for public interest When required to comply with a law When required to protect an individuals life When required for the legitimate interests of a third party (no sensitive data) When freely given consent for a specific purpose has been provided If sensitive data is being processed, explicit consent for those data

elements is required. #2019ResearchExpo What Elements of Consent are Needed? Name and/or title of the data processor The purpose and basis for processing of the subjects data The type of data to be processed Remember: When sensitive data are going to be processed, these data elements must be explicitly listed in the consent. If data will be transferred to a less secure country (i.e. the U.S.) #2019ResearchExpo

What is Needed for Legally Effective Consent? Must be in clear and plain language, intelligible, and easily accessible Must be specific about the purpose of the data processing Must be distinguishable from other matters Must be given by a clear act or statement Must be an unambiguous indication Must fully inform the data subject Must be freely given #2019ResearchExpo I Got Consent! Now What? Processors and Controllers must ensure privacy:

Limit access to the data Code or encrypt the data where possible Limit processing to only the necessary data Retain the data for the least amount of time possible Incorporate data protection into the processing activities #2019ResearchExpo What About Secondary Research? Secondary research also requires a lawful basis for processing of personal data Sensitive data must be explicitly detailed in the consent document The purpose of the secondary research must be compatible with the initial purpose when consent is not obtained initially

#2019ResearchExpo What Are the Subjects Rights Under GDPR? Rectification of the personal data Notice when their personal data is used Includes modifications and erasures Can restrict how their data are processed Can reject automated individual decision-making Access to their personal data collected about them Must be able to receive their data and transfer it to a third party

#2019ResearchExpo Im a U.S. Researcher, Does This Rule Apply? Most research in the U.S. is not subject to this rule Exceptions (including but not limited to): Web-based surveys Studies with long-term follow-up Long-term biometric monitoring studies Studies sponsored by companies in the EU/EEA #2019ResearchExpo

How Can I Remain Compliant? Exclude people in the EEA from taking web-based surveys Ask participants if theyll be travelling to the EEA during the study No GDPR language in consent when people in the EEA arent subjects Include GDPR template language when appropriate The IRB provides template language on our template HRP-502 Template General (2018 Common Rule Compliant on our forms page #2019ResearchExpo What Happens if I Dont Follow GDPR? Fine of either 20,000,000 or 4% of annual revenue (whichever is more) for:

Not having a lawful basis to process data or getting insufficient consent Not being able to allow individuals to exercise their rights Fine of 2% of annual revenue for: Not having records in order Not providing proper notification of a breach #2019ResearchExpo QUESTIONS? #2019ResearchExpo

Recently Viewed Presentations

  • Singular Perturbations of Complex Polynomials Dynamics of the

    Singular Perturbations of Complex Polynomials Dynamics of the

    T J is a Cantor set of "circles" So the preimage of T is an annulus. c v When , the Julia set is the unit circle The Julia set is the boundary of the black & colored regions. But...
  • Religion in Livy - University of Arizona

    Religion in Livy - University of Arizona

    Religion in Livy Jared Copeland Monday, November 1, 2010 Religion in Livy Livy regularly incorporates elements of Roman religion into his narrative. These include: Prayers Augury Prodigies Ritual and sacrifice Cosmology (fate, fortune, relationship of gods to men) The genius...
  • Diapositiva 1 - Europa

    Diapositiva 1 - Europa

    In general, one or more variables are connected to the basic Leontief model (e.g. environmental pressure variables such as e.g. CO2 or resource use, value added, employment), and made endogenous (i.e. dependent from final demand).
  • amersa.org

    amersa.org

    Purpose . To date, no investigation has examined . differences in perceived risk of naloxone-related compensatory behavior across professions, or the extent to which opioid overdose education and naloxone training modifies these concerns.
  • Sub  1 Ohm Broadband Impedance Matching Network Design

    Sub 1 Ohm Broadband Impedance Matching Network Design

    ZMeas ZCal e.g. for a ZCal point, what is the Output Tuner's Load reflection coefficient when ZMeas is normalized to the ZCal point 50 Ω ZMeas (calibrated impedance vs. actual impedance during measurement) * * * * * * *...
  • Some Questions about Morphology

    Some Questions about Morphology

    Some Questions about Morphology What is a morpheme? The smallest linguistic unit of meaning Can not be analyzed further ept, mit, luke, ceive are problematic examples yet they are morphemes What is a derivational morpheme?
  • Diapositiva 1 - RUA: Principal

    Diapositiva 1 - RUA: Principal

    3. Phylum Proteobacteria. 3.4. d-Proteobacteria: SULFATE (AND SULFUR) REDUCING BACTERIA (SRB)* Desulfo - (generally) or Desulfuro-They reduce sulfate/sulfur
  • speechBITE™ Update on the speechBITE website How does it fit ...

    speechBITE™ Update on the speechBITE website How does it fit ...

    Share your findings EBP Network speechBITETM * * This is the speechBITE homepage, it is based on the PsycBITE homepage You can enter keywords, or author or journal name You can search by Target Area, Intervention type, service delivery mode,...