Blog: GDPR guidance updated as new law approaches

Last updated on 24 Apr 2018

By Janet Messer

Update: The UK Data Protection Act 2018 was enacted on 23 May 2018. Our GDPR guidance has been updated accordingly


It’s only one month now until the General Data Protection Regulation comes into force on 25 May 2018. When the legislation was being developed there were concerns that health and care research would be badly affected. In fact, because of input from the research community explaining the existing protections and arrangements for research, the legislation will have only limited implications for health and care research. However, some the of the details of the requirements for research have only recently become clear because they had to be set out in national legislation – and the Data Protection Act 2018 is still completing its passage through Parliament. So getting information out to you is still a work in progress.

We have already published information interpreting the legislation and setting out operational arrangements to support the transition to the new legislation. With one month to go, we have updated that guidance, which you can read here. We’ve simplified the information for organisations to help those responsible for corporate arrangements to understand the specific aspects relating to research, and added more detail to the operational guidance.

Importantly we’ve published recommended text to be provided for research participants to ensure they have the required information about processing of personal data for research studies they are invited to participate in, or are already participating in. We’ve tried to keep the process for achieving compliance with the new legislation as simple as possible. By providing you with standard text you can bring existing studies in line without needing to submit amendments for approval or re-consent participants. And new studies can simply include the standard text as part of the participant materials you include in your application.

Our operational guidance is aimed at chief investigators and sponsors, but it is important for those delivering and supporting studies at sites to be aware of the guidance too as they will be providing information to participants.

Our updated guidance includes explanation of the following topics based on feedback and queries:

  • why consent is not an appropriate legal basis for processing personal data in research, and how this is distinct from consent to participate in research and other legal, common law and ethical reasons for consent
  • why the research sponsor acts as controller in relation to processing of personal data, and the role of care organisations either as processors for the sponsor in relation to research, or separately as controllers in their own right for processing of personal data for care
  • data subject rights, and exemptions that may be applied in research settings
  • the distinction between obtaining personal data directly from participants, and indirectly via a third party - and possible exemptions from transparency requirements that may apply when information is obtained indirectly from third parties

There are a few areas we are still working on – so please hold on before doing anything that you might need to unpick. These are:

  • Guidance and standard text where personal data is being transferred outside the EEA
  • Handling of consent-for-consent registers (where patients sign up to be informed about research studies) and other arrangements for inviting potential participants
  • Guidance for handling personal data of research teams
  • Arrangements for putting in place or updating agreements between controllers and processors

We are also developing a new template that will enable applicants to undertake a risk assessment of impact on privacy for new studies, to enable sponsors to have a documented record of the compliance arrangements. This is intended to avoid sponsors and participating sites developing lots of different forms for researchers to complete.

We know that others are providing guidance and support to the research community, like the MRC Regulatory Support Unit and the Information Governance Alliance, so please make use of their resources too. If you have any queries once you have read the guidance, please contact us at jennifer.harrison@hra.nhs.uk

Back to news and updates