GDPR: technical guidance

Technical guidance for data protection officers, information governance officers and research governance managers

We've worked with partners to develop Technical Guidance intended for Data Protection Officers (DPO), research managers, information governance or security architecture leads, or equivalent roles. It may also be relevant to researchers. Some prior knowledge of terminology is assumed. 

Researchers and study coordinators wanting to learn more about the implications of the GDPR for the delivery of research in the UK should read our operational guidance.

The General Data Protection Regulation (GDPR) came into force on 25 May 2018.

What does the new legislation mean for health and social care research, where the use of personal data is often crucial? The new legislation brings increased expectations of organisations processing personal data. Organisations need to be lawful, fair and transparent when processing or controlling the processing of personal data. However, the new legislation does not impede research. It reflects current good practice in research, through the safeguards that apply to all research using personal data. If your organisation is already using good practice under current data protection legislation, you will need to make relatively few changes to your policies and practices. 

Some aspects of the new legislation do not apply to research. For example, data can be stored for research for long periods of time, and it is recognised that personal data collected for any initial purpose can be used for research. There are also exemptions to some rights in a research context. However, the rights cannot simply be ignored. Research organisations must have other specific safeguards in place before using research exemptions. 

Note: In this guidance, NHS is used to also refer to HSC organisations in Northern Ireland.

Using this guidance

This briefing explains how you can meet the general requirements of the forthcoming legislation. It's worth noting that 'must' is used to indicate a legal requirement, not a HRA requirement. 

The menu on the left allows you to move between different sections of the guidance, or by clicking on the blue 'Next' buttons you're able to work through all of the guidance from start to finish.

This guidance may be updated over time.