Skip to main content

Table 2 General Data Protection Regulation (GDPR) as a barrier for cross-border health data sharing, linking and managing

From: Enablers and barriers to the secondary use of health data in Europe: general data protection regulation perspective

GDPR as barrier

Data sharing

There are much more concerns about data protection which makes it more difficult to share data for scientific purposes

GDPR limits some projects to only share the aggregated data as a way to avoid sharing individual-level data and the GDPR challenges that come with that

GDPR implementation

GDPR is a unique and interesting regulation but the interpretation and implementation of the GDPR has caused problems and represents a challenge in Europe, which needs to be addressed

Time

GDPR slows down the process. The idea behind GDPR is not to make research more difficult, the same research can still be conducted but the process is just slower and more complicated

Workload (and resources) involved in GDPR compliance

Implementing GDPR is a major work burden and represents a problem in projects, which work with limited budgets from research funding and limited personnel, as the legal issues take much more time and work than it is available which restricts carrying out the project simultaneously

The workload to be GDPR compliant is a barrier for projects

There is a lack of funding to set up data and information exchange systems, which would be compliant with the GDPR

Local legislation

There are differences in national interpretation and implementation between countries; and sometimes national regulations are contradictory to the GDPR

Different (and stricter) interpretations

Locally there are differences between countries as to how strict they are about the interpretation of the GDPR and specific laws, which represent a barrier

There are interpretations of the GDPR, which are stricter than it was intended with the GDPR

A lot of people over interpret the GDPR and make it stricter than it was intended

GDPR implementation in countries without pre-existing laws concerning data privacy

GDPR did not make a big difference in countries with an already strict legislation, while it did have an impact on countries where a strict legislation did not exist prior to the implementation of the GDPR

Access to data

Access to individual data is restricted to 3rd parties, only aggregated results are shared

GDPR and privacy concerns are sometimes used as an excuse to stop sharing the data

Data providers are concerned about eventual violation of the data protection laws, which leads some countries to stop sharing their data

GDPR interpretation

There is a contradiction in the interpretation of the GDPR between reading it word by word and the spirit and the purpose of the GDPR

Lawyers are not sure how to interpret GDPR, which, in the end, makes the interpretation of the GDPR stricter to ensure compliance with it. There are different interpretations of the GDPR, which represents a barrier

Novel approaches towards health data

When developing novel approaches to dealing with health data, solutions tend to be restrictive to ensure compliance in all the countries

Identifiable and individual-level data

GDPR is an issue with health data narrowly defined by region, sex, age group and International Classification of Disease (ICD) code where the size of the sample is very small (1, 2 or 3 persons) as it could be a way of identifying individuals

When it comes to rare diseases, data is potentially identifiable. There is a great concern when dealing with individual level data as everything is potentially confidential and re-identifiable

GDPR makes it complicated to work with anything resembling individual-level data as everything is potentially confidential and identifiable