GDPR in action

On May 25th, 2018, the new General Data Protection Regulation (GDPR) is coming into force and it will change the way how business and public sector organizations should process and handle data. The current data protection rules were created in the 90’s. With the growth of the internet and social service providers, it is high time for renewed regulations. Have you ever noticed that online adverts magically match your interest? Maybe you’ve just been browsing for your favorite sneakers and suddenly they are showing up everywhere. Are you one of those who tries to share as little on social channels as possible to protect your privacy? At the end of May 2018, a huge set of regulations will become law with the aim of protecting user data privacy. According to the EU’s GDPR website, it aims to harmonize data protection laws across Europe and protect individuals. Nevertheless, it will surely bring some changes for companies and public organizations regarding how they are allowed to use data in order to avoid enormous fines.

Do you have personal data online?

To answer this question, first get familiar with what ‘personal data’ means. The EU defines it like this: "Personal data is any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, genetic, mental, economic, cultural or social identity of that natural person.”

So, the answer to the original question is definitely yes. Everyone who has ever used the internet also has personal data online. Unless you have lived under a rock in the past 25 years, Google, Facebook, and Apple know a surprising amount about you. Moreover, according to the description, GDPR affects practically each and every company with customers and users. In online terms, it affects all websites with registration and even more. Personal data is used for location services, notifications, targeted advertising, personalized content, and many other features.

What does this all mean in practice?

Practically, more rights for the users! EU citizens (including consumers, employees, and partners) will have more rights than ever. Among others: the right to be forgotten, right to access and the right to object. It should enable easier access to the data that companies hold about you and places a clear responsibility for organizations to obtain your consent when they collect information about you.

It’s yet to be seen how the implementation of the new regulations will turn out. GDPR was obviously created with the personal-data-giant social service providers, such as Google or Facebook in mind. The consequence of not complying with the new regulations will be particularly heavy monetary fines: smaller offenses could result in fines of over €10 million or two percent of a firm's global turnover (whichever is greater). This potentially could mean the end of some small- or medium-sized companies if they fail to comply with the new regulations. However, it might be a different case with the previously mentioned data-giants which have both the power and wealth to create dedicated teams to help them comply with the regulations.

Personal data or sensitive personal data

Both are covered by the GDPR. Personal data roughly means any kind of data that can be used to identify a person. This could be a name, address, IP address. While personal sensitive data is, for example, religious or political views, sexual orientation and more. These rules are much similar to the currently valid rules. The difference made by GDPR is that pseudonymized personal data can also fall under the law if the person is identifiable by the pseudonym (fictitious name or user ID).

Citizen Science and Data Protection in the European Union

The new change in the status of pseudonymized personal data may have consequences on Citizen science projects and create some headaches to researchers and their data specialists. For scientists, in order to validate and analyze the success of their methods, study behavior patterns and draw conclusions, data collection is essential. Both Citizen Science and personal data protection are highly prioritized at the European Union’s agenda, however in a somewhat contradicting way. Horizon 2020 is the biggest EU Research and Innovation programme ever with nearly €80 billion of funding available over 7 years. The main goal is facilitating more breakthroughs, discoveries, and world-firsts by taking great ideas from the lab to the market. It encourages Citizen Science on many points with a call for “Science with and for Society”. GDPR could create challenges for the concept of open-schooling and collaboration promoted by Horizon 2020. Validating participants’ age online is an issue in itself. The new regulations require age limit but do not provide any clear ways how to validate it online. In Denmark, there is a system called NemID, a national identification system which can be integrated online but it is only for Danish residents. School-age means mostly children, not yet reached their majority of age. In order to collect any kind of data from children under 16, scientists and research groups need parental consent which makes the collection of data from this age group a real challenge. As it stands right now, there isn’t any established way yet of getting this consent reliably, without minors being able to pretend they are older then what they actually are.
The same goes for education and research targeting different ethnic groups and refugees as this kind of personal status counts as sensitive personal data. Those regulations involve plenty of strict rules about how the data can be collected, transferred, stored, and analyzed. Such as data cannot be simply sent through online channels. For example, if two scientists at different universities are working together on a dataset, they are not allowed to send the material to each other in an email or through online services unless you have a data treatment agreement with them. A legal way could be copying the documents on an encrypted USB stick and send it by regular mail, which is a huge step-back regarding collaboration and research speed.

The following months will certainly bring challenges to companies & research groups regarding how they gather and use data in the future. Follow us for further updates on how GDPR affects science and research projects.