New European privacy regulation: Assessing the impact for digital medicine innovations

The use of smartphone based data streams in relation to mental health research is steadily gaining traction in the field [1]. This approach, also known as digital phenotyping, yields continuous behavioural data which shows promise in uncovering new perspectives on human behaviour [2]. However, calls have recently been addressing the need for increased awareness regarding the privacy of the participants [3]. These concerns coincide with the new European General Data Protection Regulation (GDPR) that came into effect 25 May 2018 [4]. In most cases, the GDPR will fundamentally impact how research should go about handling highly sensitive (medical) data, since the GDPR comes with some new responsibilities and obligations for both controllers1 and processors2. One of these obligations requires organisations to carry out a Data Protection Impact Assessment (DPIA). This article will assess the impact of such a DPIA on research in practice.