From 25 May 2018, the General Data Protection Regulation (GDPR, European Union, 2016a) will apply to any EU researcher or researcher in the European Economic Area (EEA) who collects personal data. The GDPR applies only to the data of living persons (Recital 27). Data which do not count as personal data do not fall under data protection legislation, though there may still be ethical reasons for protecting this information./
The GPDR (General Data Protection Regulation, Chapter 2, Article 5) prescribes that you should adhere to the following six principles when processing personal data:
The GDPR contains an exemption which entails that some of the principles above are slightly different when you collect and process personal data for research purposes. This is called the 'research exemption'.
Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject. Those safeguards shall ensure that technical and organisational measures are in place in particular in order to ensure respect for the principle of data minimisation. Those measures may include pseudonymisation provided that those purposes can be fulfilled in that manner. Where those purposes can be fulfilled by further processing which does not permit or no longer permits the identification of data subjects, those purposes shall be fulfilled in that manner | General Data Protection Regulation, Article 89.
In practice, this means that Principle II. and V. are less strict. Further processing of research data for the following purposes shall not be considered to be incompatible with the initial purposes (even when this purpose wasn't mentioned earlier):
Also, personal data may be stored for longer periods for such purposes. In all cases, appropriate technical and organisational measures should be taken to safeguard the rights and freedoms of the participants in your study.