As researchers, we gather information from people through observation and by interviewing them about personal, often sensitive, issues. During this process, we collect ‘personal data’ which makes a person potentially, directly or indirectly, identifiable. Personal data includes:

  • Name
  • Date of birth
  • Identification number
  • Telephone number
  • Location data
  • Special characteristics which express the physical, physiological, genetic, mental, commercial, cultural or social identity of a person. (For more information see: Link)

Every person has the right to privacy and anonymity by law. As researchers, we therefore have to ensure the data protection of all our study participants. How we do this is set out in the Data Protection Act 2018 (DPA) and the General Data Protection Regulation (GDPR). The regulation has been created by the European Union and adapted for the UK context. GDPR consists of eight key principles:

  1. Lawfulness, Fairness, and Transparency – You must tell the participant through privacy notices, consent and contracts who is working with their data and what is being done with it.
  2. Purpose Limitation – You can only use the data for the purpose for which it was collected.
  3. Data Minimisation – Researchers must only collect and use data that is needed for the research being undertaken.
  4. Accuracy – You must keep data up-to-date and accurately. Any inaccuracies should be fixed.
  5. Retention – You should only keep data for as long as it is required to finish the research. It is the responsibility of the researcher to delete all data relating to their project in line with the retention schedule.
  6. Safe and Secure – You must implement measures to protect against security breaches or the unlawful processing of personal data.
  7. Accountability – You must keep a record of how any data is processed. It is important that the researcher considers why and how the data was originally collected, as well as the data’s security.
  8. Subject Rights – Researchers must give participants a copy of their data when requested, and uphold their rights and freedoms under GDPR.

(Author: Hanna Kienzler  & Bwalya Mulenga)

What is it?


The Data Protection Act and GDPR by the UK Data Service.

This website gives an overview of what The Data Protection Act and GDPR cover. It also contains information about principles of processing personal data; the legal basis for processing personal data; consent; rights of the data subjects; the UK GDPR and sharing data; and further definitions.

(Academic reference: UK Data Service. (n.d.). The Data Protection Act and GDPR. 

Guide to the UK General Data Protection Regulation (UK GDPR) by Information Commissioner’s Office.

This website is a guide to data protection and explains how it applies to UK businesses and organisations. It covers both GDPR and the Data Protection Act 2018. It also contains a guide to law enforcement processing; a guide to intelligence services processing; and information on key data protection themes.

(Academic reference: Information Commissioner’s Office. (n.d.). Guide to the UK General Data Protection Regulation (UK GDPR). 

GDPR and research – an overview for researchers by UK Research and Innovation (UKRI).

This website provides GDPR guidance and links to further sources of information.

(Academic reference: UK Research and Innovation. (2020). GDPR and research – an overview for researchers. 


For privacy reasons YouTube needs your permission to be loaded. For more details, please see our Privacy Policy.
I Accept

What is the GDPR? | A summary of the EU GDPR by It Governance Ltd.

This video gives a short introduction about what GDPR is, what it means for people involved in research, and what you as a researcher need to do to ensure data protection.

(Academic reference: It Governance Ltd. (2018). What is the GDPR? A summary of the EU GDPR.

How is it done?


A step-by-step guide to helping researchers comply with the requirements of the UK GDPR by UK Data Service.

This report is a step-by-step guide to helping researchers comply with requirements of the UK GDPR. It focuses on data collection, data storage, data access, processing of data and more.

(Academic reference: UK Data Service. (2021). A step-by-step guide to helping researchers comply with the requirements of the UK GDPR. Essex: University of Essex.)

Method in action

Coming Soon