The GDPR entered my professional life in several ways: As a supervisor of BA, MA and PhD students who had questions about privacy in ethnographic research; as the PI of an ERC Consolidator Project that had to comply with the ERC’s ethics requirements; and as former chair of the Ethics Review Committee Social Sciences at my faculty. Among committee members, researchers, privacy officers, and other professionals we had many valuable conversations about the GDPR. Many complex issues came up, but let me limit myself to three common misunderstandings and also share a concern I have.

Assumption 1: Informed consent needs to be given in writing

No. Research participants need to freely and unambiguously give consent to the researcher. This can be in writing, but the GDPR does not require that. The GDPR explicitly states that the research participants' approval (the GDPR uses the term data subject) can be oral: ‘Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.’ It can, for example, be ethically compromising to ask functionally illiterate respondents for a signature.

A question that often comes up is: ‘If there is no signed form, how can one prove that one received informed consent?’ Without a signed document, researchers might risk being accused of collecting data without informed consent. This is surely an issue to consider, but this is a risk that the researcher (and, by extension, the university) must deal with.

However, dealing with this concern for (legal) repercussions into a bureaucratic procedure by only allowing informed consent in writing is a misreading of the GDPR. Much better is to creatively find other ways of making it at least plausible that informed consent has been given. That can be with a voice recording, by noting it down in a way that clarifies the context of the study, and I am sure there are also other solutions. This requires creativity from the side of the researcher and sufficient space in the university’s procedures to acknowledge this. Requiring that all researchers use an informed consent form does, however, not do justice to the GDPR and can be unethical as that might harm research participants.

Assumption 2: The GDPR requires informed consent for doing research

No. The GDPR is only about processing personal data, not for doing research. Let us look at a hypothetical case to clarify this. Imagine, a researcher wants to do research without asking anyone for consent and maybe even without clarifying his or her role. The researcher can do that according to the GDPR as long as the research does not involve the processing of personal data. Informed consent is only needed when the researcher collects personal data. For the GDPR, this is defined as data that can be traced back to the individual, the data subject.

When the researcher does not collect data (no notes, no recording) no informed consent is required, at least according to the GDPR. When the researcher collects data but the data cannot be connected to the ‘data subject’, then this is not (sensitive) personal data. If no (sensitive) personal data is collected, for example, because notes are anonymous, the GDPR does not require informed consent.

I find it useful to distinguish GDPR requirements from ethics within social sciences. Research ethics are much broader than the GDPR and confront researchers with complex dilemmas and conflicts about interests and norms that deeply affect research practices. Transparency, honesty, and considering the interests of people and communities we study are integral to teaching, see ‘Ethics and Integrity in Academic Work’, for an excellent example.

How to ask people and communities for permission for research is also part of ethics guidelines and protocols. But this is separate from the GDPR. Keeping GDPR requirements separate from research ethics – while acknowledging that this separation is only possible at an analytical level – enables researchers to much better and more suitable ways of integrating the GDPR in research practices. The GDPR only applies to processing (sensitive) personal data, meaning data that can be traced back to the individual or ‘data subject’.

Assumption 3: Informed consent is having a box ticked

No, the GDPR unambiguously states: ‘Silence, pre-ticked boxes or inactivity should not therefore constitute consent.’ Pre-ticked boxes are sometimes part of websites or other forms of online research and are not allowed. The reason why I point this out is that this very clearly shows how the GDPR is about a real and lived process, not simply undergoing a bureaucratic procedure. The GDPR text points out very clearly that ticking the boxes is not the same as having informed consent.

Finally, a concern about criminalizing research

Laws are subject to interpretation and sometimes conflict with one another. This requires complex judgement calls, which this international research team encountered first-hand in their attempt to do covert research among politicians. Laws, including the GDPR, create uncertainty among researchers and their universities. An understandable response to this uncertainty is to be ‘on the safe side’ and set up strict bureaucratic rules and procedures.

There is a risk of regulatory overreach when imposing restrictions that go beyond what the GDPR requires. Regulatory overreach is especially problematic when researchers critically examine companies, institutions, or other powerful actors. It creates insecurity among researchers and does not acknowledge the limited scope of the GDPR. It promotes an audit culture that restricts academic freedoms and do not anymore reflect the nuances of the GDPR.

Such a distortion of the GDPR risks criminalizing lawful and ethical research practices and can induce fear and self-censorship within academic communities. It is essential to push back against regulatory overreach, to acknowledge the intrinsic value of curiosity in society, and to affirm the vital role of critical scholarship in challenging power structures. The GDPR does not – and should not – serve as a pretext for suppressing these pursuits.