LAUSR

The General Data Protection Regulation (GDPR) [1] comes into force across the European Union on 25th May 2018. It is a major piece of legislation that will control how personal data is used and stored, in order to protect an individual's privacy. Essentially it updates the previous data protection laws andmakes them fit for purpose in the 21st century. Many of the provisions within the GPDR are aimed at organisations and designed to prevent them from harming an individual's privacy. One of the often reported aspects of this is the fact that a serious breach of the GDPR could result in a fine of up to €20 million. Whilst researchers and writers of case reports will hopefully not have to concern themselves with this aspect of the GDPR, there are some key aspects of the GDPR that they will need to consider. According to Article 4 of the GDPR, “personal data” constitutes any information that relates to a natural person that can identify them, either directly or indirectly. Anyone who “processes” that information has to be aware of their responsibilities: processing includes collection and dissemination of personal data. To use an individual's personal data for research or publication purposes, consent has to be obtained. The GDPR has considerably improved and strengthened the consent requirement from that required in previous data protection laws. Those who are relying upon an individual's consent to use their personal data for research or publication purposes will need to prove that the individual has consented. Consent cannot be via an “opt-out” procedure whereby if you don't opt-out your data will be used. There is an onus to be able to prove that consent has been obtained. Where the consent is obtained in a written document, the consent request has to be ‘clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language’ (Article 7 (2)). Children under the age of 13 cannot give their own consent (Article 8 (1)), and those seeking to use a child's personal data have to take reasonable steps to verify that the person with parental responsibility has provided consent. Withdrawal of consent has to be as easy as the initial provision of consent. This means that individuals must be told that they have a right towithdraw their consent, and theways inwhich they can do this.