In general, research occupies a privileged position within the new data protection regulations (GDPR). Organisations that process personal data for research purposes may avoid restrictions on secondary processing and on processing sensitive categories of data. As long as they implement appropriate safeguards, these organisations also may override a data subject’s right to object to processing and to seek the erasure of personal data.

Additionally, the GDPR may permit organisations to process personal data for research purposes (as a primary purpose) without the data subject’s consent. In isolated cases, these organisations may be able to transfer personal data to third countries for research purposes, without any other transfer mechanism in place. For medical research, the Faculty of Medicine recommends looking at the NHS Health Research Authority GDPR guidanceAlso, you can consult this short fact sheet that dispels some current GDPR misconceptions and these answers to commonly asked questions about the GDPR published by the Regulatory Support Centre of the Medical Research Council.