Genomic medicine and research: when does the GDPR apply?

The Information Commissioner’s Office has awarded the PHG Foundation a research grant to investigate how the GDPR impacts upon the field of genomics

Discussion paper

This discussion paper was published as part of the project: Data protection and genomic data. The Information Commissioner’s Office awarded the PHG Foundation a research grant to investigate how the GDPR impacts upon the field of genomics. The subsequent report: The GDPR and genomic data, is available to download.

The EU’s General Data Protection Regulation (GDPR) gives rise to significant uncertainty for those working in genomic medicine and research in Europe and those in collaborations involving EU citizens’ data. In this discussion paper we address the challenge of understanding whether the GDPR applies to the data and the stakeholders involved in genomics projects.  We outline one approach to this question and highlight the definitions of ‘personal data’, ‘pseudonymisation’ and (joint) ‘control’ which will influence when uses of genetic and clinical data will be governed by the GDPR. If this is the case, researchers and health care professionals are required to support individuals rights and fulfil the obligations set out in the GDPR.

Key points 

  • Whether the GDPR applies depends on the nature of the data and the context: if there are means to identify an individual which are reasonably likely to be used by legitimate users or third parties, then the GDPR will apply
  • It is not yet clear if ‘pseudonymised’ data are always ‘personal data’ and if the possibility that they will be combined with a key to identify an individual will be enough to constitute ‘personal data’, or, whether pseudonymisation can lead to successful anonymisation if this is no longer reasonably likely to occur
  • The GDPR does not apply to familial genetic or clinical information unless it is possible to distinguish the individual family member it relates to
  • The GDPR may still apply to an organisation, professional or researcher that does not deal with ‘personal data’ if they help determine the purposes and means of processing personal data.

Another discussion paper, Genomic medicine and research: how does the GDPR apply? is available.

By Colin Mitchell, Johan Ordish

Genomics and policy news

Sign up