GDPR & Research

This page provides information to researchers on how to comply with the requirements of the General Data Protection Regulation (GDPR) and the UK Data Protection Act (DPA), throughout all stages of conducting research.

You can find more information about the specifics of the legislation on the GDPR details for researchers page.

GDPR has meant some significant changes for anyone using identifiable information in their research. If your proposed research involves identifiable personal data you must obtain advice from the university's Data Protection Officer at

This Guide sets out some of the key issues for University researchers to be aware of when planning and conducting research projects that involve the processing of personal data. It should be read alongside the University’s other research policies, procedures and guidelines on good research practice.

Does GDPR apply to my research data?

GDPR is only concerned with information which can be used to identify living people.

It applies to the collection, storage and use of anything that might in any way be used to identify an individual.

This includes name, ID number, location (including IP address and data from cookies), online identifiers, physical and physiological factors, biometrics, and genetic, mental, economic, cultural or social identity. This is classed as 'personal data' or ‘personal information’.

Note, this does include data where the only identifier is a code, for example a study identifier, if that code can be related back to an individual in any way, e.g. by a registration log held by the PI. This is referred to as ‘pseudonymised data’.

GDPR does not apply if your research involves only fully anonymised data (so there is no way of linking it back to the individual it relates to, including through use of a code or numerical identifier).

GDPR requires additional conditions to be satisfied when dealing with ‘Special category data’. These are particularly sensitive personal data including racial/ethnic origin, political opinions, religious/philosophical beliefs, trade union membership, genetic and biometric data, physical or mental health, sex life, and sexual orientation.

How does GDPR impact on me?

If you are dealing with identifiable information you have a responsibility to keep the data safe, keep data subjects informed and report any breaches.

Researchers – Steps to Take

Determine whether your work will involve personal information – as defined above. Remember that this will include (though not be limited to):

  • Pseudonymised data
  • Consent forms - for studies where data is not otherwise stored
  • Determine whether you will need to transfer personal information outside of the UK and any steps you will need to take.

Determine how data will be stored and whether it will be encrypted.

Determine who the data controller is for your study. This will generally be the Chief Investigator’s employer (i.e. usually the University of Wolverhampton). For Clinical Research, by default this will be the Sponsor (usually the CI’s employer or a Commercial Sponsor) but it can be assigned to, for example, an NHS Trust or CCG where the data is generated, shared between organisations etc. There is more information available here:

Ascertain if there is any processing of personal data being carried out by a 3rd party on behalf of the University. This could be another organisation carrying out analysis, research or simply storing the data on their server. If this is the case the 3rd party would be a Data Processor and a data processor agreement would need to be used between the parties. The University has a template that can be used.

Determine whether you wish, or are required, to make anonymised data available to other researchers after publication. If so, you can find further information about research data management

You are strongly recommended to create a Data Management Plan (DMP), which should be proportionate to the nature of your work. More information can be found here: .  

Ensure that any participant information sheets and consent forms include sufficient information to meet the GDPR requirements of Transparency. More information can be found here:

You will need to identify the GDPR lawful basis under which you/the University is processing the personal data you are using. As a rule, studies Sponsored by an Academic or NHS organisation collect data on the lawful basis of it being a Public Task.

If your study is sponsored by a commercial or charitable organisation, the lawful basis is Legitimate Interest.

Suggested template wording can be found here:

Determine whether additional required steps have been taken for processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

If you will be working with this type of data, see further information found on the GDPR details for researchers page.

Reporting data breaches

If you suspect a data breach has occurred you must inform your line manager (or supervisor for students) and report this to the Data Protection Team via the online Data Breach Incident Reporting Form. The form should be completed by the staff member or their line manager, or the student or their supervisor immediately after discovery (weekends and Bank Holidays excluded). 

For further information on how the University deals with data breaches please refer to the Data Breach Policy 

How long should I keep different types of data?

The University has a Document Retention Schedule that outlines how long different types of records should be kept.

Data Protection requirements are not the only reason to retain data. You may also need to consider the future use of records or whether they may be of future historic value.