New EU privacy legislation has significant consequences for researchers
By Trond Selnes
It’s nearly time for the General Data Protection Regulation (GDPR). This new European privacy legislation will come into force for all Member States on 25 May 2018. While I do believe that this is excellent legislation that attempts to guarantee the privacy of citizens, it has significant consequences for scientific research.
The right to be forgotten
The GDPR states that citizens have the right to be forgotten. This means that citizens can indicate that their details may not be stored in certain databases. If this concerns separate databases, the problem can still be contained. Yet, in practice, researchers want to use these databases for multiple research projects. Sharing scientific knowledge is one of the foundational pillars of the European research infrastructure in the Food, nutrition & health domain. The consumer might have given permission at some point for sharing their data, but only for scientific research. Under the new legislation, that same consumer may revoke that right and the data may no longer be used.
Working together to find the dos and don’ts
Another mindbender is that as a data collector, you must at all times be able to show where this data is stored, what you’re planning to do with it and which risks this presents to citizens. Moreover, consumers must have easy access to their own data. Therefore, within the research infrastructure, we need to make clear agreements with other knowledge institutes and companies. Together with FrieslandCampina, Philips, Danone and Unilever we are working on the Smart Food Intake project, which has given us a lot of experience in dealing with these issues. First, we want to identify exactly what the precise consequences are of the GDPR, as there are still many uncertainties. By learning from each other, we want to work towards creating an overview of a code of conduct: the dos and don’ts.
Open data portal for consumers?
It falls outside of the scope of the research, but eventually we would like to provide custom service to the European consumer, including those who want to be forgotten. We have to design data management in such a way that we always know the exact location of the research data of person X, so that we can also easily remove them from existing data sets. My idea is to create a consumer portal connected to the European research infrastructure through which consumers can easily access their data. This is based on the assumption that the consumer trusts this system and privacy is guaranteed.
A bright future
This new privacy legislation could have a deeply penetrating effect on European society. For data collectors like us, it will become quite a challenge to anticipate all the effects, especially if you want to learn from one another within one European research infrastructure by sharing and linking knowledge. How this legislation will be implemented is still unknown, but I think that one thing is sure: it heralds a bright future for data managers.
Want to know more about this topic? Visit Research infrastructure for health and nutrition on wur.nl.