The European Union’s General Data Protection Regulation (GDPR) and Academic Research

Bree Norlander presenting in front of power point screen

Bree Norlander presenting in front of power point screen

By Bree Norlander, TASCHA Research Scientist

In spring of 2018, I was working with my TASCHA colleagues on the Mobile Reading Data Exchange (MRDX) project to better understand mobile reading patterns across the globe. Around the same time, we became aware of European Union’s General Data Protection Regulation (GDPR), its upcoming implementation date of May 25, 2018, and our need to comply with its regulations. Our project worked with Worldreader, a global application that analyzes data by accessing user content on their mobile application– including data from users in the European Union.

After reading more about GDPR, we realized that our best option was to wrap up our research and delete the data by May 25th, 2018.

We knew that we wouldn’t be able to revisit data from the EU in the future so we focused on answering only the highest priority research questions before the GDPR implementation date. Generally, research often revisits and re-analyzes data for publications and presentations, which meant that data deletion was the only way for our project to be GDPR compliant given the timeline.

I later shared this story with Anissa Tanweer, a researcher in the eScience Institute, and we decided to collaborate on a presentation for researchers regarding GDPR so other research teams could learn from my experience. With the help of Emily McReynolds from Microsoft Research (and formerly of the UW Tech Policy Lab), and Ann Nagel of the UW Privacy Office, we presented an overview of GDPR and focused on the pieces of the regulation that were particularly relevant to researchers.

GDPR for Researchers

McReynolds provided key data points about GDPR, including: the document is 88 pages long with 173 recitals (12 of which mention research specifically) and 99 articles (5 of which mention research). And while academic research is not exempt from GDPR, it is afforded more freedom than the business sector. Article 89, “Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes” directly addresses data used for research purposes.

Addressing GDPR at the University of Washington

Nagel spoke about how the UW has been addressing GDPR, as well as several other data protection regulations globally. There are working groups and subgroups at the UW to identify areas in which data may be particularly high-risk when it comes to laws and regulations. These working groups also help create the UW’s own regulations that navigate the multitude of rules that the University is subject to such as the Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), GDPR, and WA State’s Public Records Act. Navigating compliance at the UW is particularly difficult because many of the regulations are in direct conflict with one another.

At TASCHA, our learning of GDPR and how it relates to our current and future research is ongoing. We continuously work with the UW Privacy Office to ensure our research is compliant in all areas to the best of our ability.


Learn More About GDPR at the UW