IRB Frequently Asked Questions
How do I ensure my human subjects research study complies with the GDPR?
- Collect only the absolute minimum personal/demographic data needed to complete the study. If your study can be completed using only de-identified data, then we strongly advise you to take this approach.
- Many online survey sites collect personal data, including IP addresses, by default. Ensure that you set up your study to receive only the information you need to complete your study. To the extent possible, verify that any third-party website or app being used for data collection is GDPR-compliant.
- If you are relying on consent as the legal basis for your collection and use of personal data, use an active (“opt-in”) informed consent. Under the GDPR, consent for the processing of personal data must be freely given, specific, informed, unambiguous, and explicit. A description of the data processing and transfer activities to be performed, if applicable, must be included in the informed consent document.
- Ensure that your consent form is in compliance with GDPR requirements and that you are able to keep a record of each subject’s consent.
- For activities in which identifiable data is collected, you must have an executable plan to delete data in the event a participant requests to have his/her data removed.
How are human subjects research consent documents and processes affected by the GDPR?
- If you are relying on consent as your legal basis for processing personal data (and/or if you are processing Sensitive Personal Data), records of consent, including time and date of consent, must be maintained for each subject. In the case of verbal, online, or any other type of undocumented consent, the Principal Investigator is responsible for maintaining a consent log indicating each subject (either by name or study ID number) and the date and time that consent was provided.
- Consent for processing of personal data must be explicit. If the consent form or consent script serves multiple purposes (e.g., a consent form that is also the recruitment email), then the request for consent must be clearly distinguishable.
- Each subject has a right to withdraw consent at any time. Each subject must be informed of this right prior to giving consent. Withdrawal of consent must be as easy as giving consent.
- Consent must be an affirmative action. This means that opt-out procedures are not permitted.
- Consent information must be provided in clear and plain language in an intelligible and easily accessible format.
- Consent must be freely-given. Individuals in a position of authority cannot obtain consent, nor can consent be coerced.