Skip to content

Putting the GDPR into Practice: Difficulties and Uncertainties Experienced in the Conduct of Big Data Health Research

Birgit Wouters, David Shaw, Chang Sun, Lianne Ippel, Johan van Soest, Bob van den Berg, Ole Mussmann, Annemarie Koster, Carla van der Kallen, Claudia van Oppen, Andre Dekker, Michel Dumontier, David Townend


The potential of big data in health research is dependent upon the ability to collect, reuse, link, and analyse those datasets. The EU General Data Protection Regulation 2016/679 presents big data health research with several difficulties and uncertainties. In this Article we analyze the impact of five elements of the GDPR on big data health research: (1) the distinction made between non-special versus special categories of data; (2) informed consent and its relation to secondary processing of data; (3) the use of the national identification number; (4) the principle of data minimization; and, (5) the principle of storage limitation. We argue that, while the GDPR relaxes its multiple restrictions in the case of scientific research, (1) the GDPR continues to leave too much discretionary power to the Member States, thereby undermining the goal of harmonization; and that (2) the GDPR does not adequately address the challenges brought by the emergence of big data and artificial intelligence used in health research. To conclude, we will advocate for a GDPR Article 40 code of conduct for scientific research to mitigate the issues arising from the GDPR.
Keywords: GDPR | Big Data | Health Research | Data Protection | Privacy | Confidentiality

Corresponding author, Birgit Wouters: <>


Lx-Number Search

(e.g. A | 000123 | 01)

Export Citation