Learn about the research implications of the General Data Protection Regulation (GDPR).
Effective May 25, 2018, the General Data Protection Regulation (GDPR) is a far-reaching law establishing protections for the privacy and security of personal data about individuals located in the European Economic Area, or “EEA” (the European Union, plus Iceland, Liechtenstein, Norway and Switzerland). Unlike domestic data privacy and security laws like HIPPA, which only apply to certain types of data, the GDPR applies quite broadly, including to certain “personal data” obtained or used for Cornell research projects. If your research involves any of the following, your project may be subject to the GDPR:
- Recruitment through social media, such that some participants may be residing in the EEA;
- Use of a third-party “processor” (e.g., Qualtrics, Skype, etc.) to collect data from participants who may reside in the EEA;
- Traveling to the EEA to collect data from participants; and
- Receiving data from collaborators or other third parties that have identified the data as being subject to the GDPR.
For detailed information, please read this guidance document, and contact the IRB with any questions. If the GDPR applies to your research, you will need to strictly adhere to the regulation’s requirements, including special provisions concerning informed consent, data security rules, timely notification of any security breaches, and the “right to be forgotten”, which permits any participant to request the removal of their data at any time. Failure to comply with the GDPR subjects Cornell to reputational harm and significant fines (up to 20 million Euros or 4% of the University's prior financial revenue).