GDPR: New Regulations for Human Participant Research Involving Data Collection in or Transfer of Data from the European Economic Area (EEA)

IRB logo

Office for Research Protections     |     Institutional Review Board (IRB)


Investigators at Penn State conducting human subjects research activities in the European Economic Area (EEA) or receiving human subjects data from the EEA may be subject to the European Union (EU) General Data Protection Regulation (GDPR).  The EEA includes the 28 member nations of the EU and also Iceland, Liechtenstein, and Norway.  To date, GDPR applies to the United Kingdom, and is expected to continue to apply in a substantially similar form following the UK’s expected withdrawal from the EU.

The GDPR, effective May 25, 2018, is a European law that establishes protections for the privacy and security of personal data about individuals located in the EEA. As related to research, the law establishes circumstances under which it is lawful to collect, use, disclose or process personal data.  Personal data means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. It is important to note that under GDPR the standard for de-identification is unique and different than standards that may otherwise typically be applied.

The law also establishes certain rights of individuals in the EEA in certain cases, including rights to access, amendment, and erasure (or the right to be forgotten), requires appropriate security measures for personal data, and requires notification to certain authorities in the event of a breach of personal data.

If personal data is being or will be collected from participants in research, the IRB may require additional consent form elements to comply with the GDPR, and the IRB may not be able to waive the requirement for informed consent in situations where it might otherwise. 

To ensure that a protocol fulfills the requirements of GDPR, Penn State’s IRB may have to coordinate with the Office of General Counsel and the Office of Information Security.  Consequently, the time from IRB submission to approval may be much longer than is usual, so investigators should submit far in advance of their intended date to start data collection.  Before they submit to the IRB, investigators should also discuss GDPR data storage and security requirements with the local IT support.

For more information, see the OIS webpage on the GDPR:  You can also contact OIS at or the IRB at or 814-865-1775.