The General Data Protection Regulation (GDPR) came into force on 25 May 2018.

This operational guidance has been produced for researchers and study coordinators on the implications of the GDPR for the delivery of research in the UK.

It has been prepared in collaboration with a range of stakeholders, and reviewed by the Information Commissioner’s Office. The HRA is the body nominated to publish guidance on the implementation of the General Data Protection Regulation and Data Protection Act 2018 for health and social care research.

In most cases the impact on individual research projects will be limited. This guidance is aimed specifically at researchers and study coordinators managing individual research projects, and will therefore be of interest to site and sponsor research managers supporting them. 

The HRA has also published separate guidance relevant at an organisational level for NHS R&D offices, university research offices, company senior managers, Data Protection Officers (DPO), or information governance leads / security architecture leads.

Note: In this guidance, NHS is used to also refer to HSC organisations in Northern Ireland.

Using this guidance

The menu on the left allows you to move between different sections, or by clicking on the blue 'Next' buttons you're able to work through all of the guidance from start to finish.

We will continue to add to the guidance, so please check back for new information.

Read: Janet Messer, HRA's Director of Approvals Service, blogs about what's changed in the latest update

Alongside this guide, we have also produced several templates that may be useful: