Scientific journals and funding bodies often demand researchers to submit individual genetic data from studies in research repositories to help inform future research. The introduction of the EU General Data Protection Regulation (GDPR) can complicate such requirements, according to researchers who presented their findings at the annual conference of the European Society of Human Genetics.
The investigators investigated the practical challenges faced by researchers as they attempt to meet the requirements of funders and journals.
According to the GDPR, participants in studies have the right to withdraw consent for the further use of their data. To exercise this right, they must be informed about the processing of their data in research repositories. However, the way in which some repositories are set up can make it difficult for researchers to comply with the law.
A further challenge lies in the GDPR's requirement for data processing to be limited to what is necessary to fulfil a study's objectives, ruling out the long-term retention of data for unspecified uses. The destruction of such data eliminates resources that may be useful in the future, thus reducing research efficiency. These difficulties stem from the fact that legal and ethical design are not always embedded into the research protocol from the beginning. This means that this is often added as an afterthought.
However, solutions are available to address the issue. “If you introduce a novel technique in the lab, you need to account for it and make it work with your existing systems, for example IT and other lab equipment,” says Deborah Mascalzoni, Senior Researcher at Uppsala University in Sweden and at EURAC Research, Bolzano, Italy. “It is the same with the GDPR that in essence is a good piece of law.”
It is not just researchers who need to change their working practices. “Journals need to rethink their policies in these cases,” says Mascalzoni. “Because participant trust is so crucial to the future of research, we were surprised to find that research repositories had not already changed their modus operandi and that journals and funders had not amended their policies to account for the GDPR.”