The EDPB draft guidelines on personal data in scientific research signal stricter expectations for consent, safeguards and governance under the General Data Protection Regulation.

As data-driven innovation accelerates, scientific research has become an increasingly strategic concept in General Data Protection Regulation (GDPR) compliance. Organisations increasingly invoke the research regime to unlock flexibility around data reuse, storage limitation and consent, particularly in areas such as AI model development, real-world evidence and longitudinal analytics.

The European Data Protection Board (EDPB) notes that technological developments, especially artificial intelligence, enable personal data to be analysed at unprecedented scale while heightening risks to individuals’ fundamental rights. Against this backdrop, it has issued Guidelines 1/2026 on processing personal data for scientific research, open for consultation until 25 June 2026.

While the draft does not change the law, it provides a strong indication of how supervisory authorities are likely to interpret and enforce existing rules by tightening the conditions under which GDPR research flexibilities apply. For healthcare and life sciences organisations, the message is clear: compliance is shifting from formalistic, point-in-time assessments towards embedded, programme-level governance.

Key changes

1. Research status will be tested, not assumed

The EDPB emphasises that only genuinely scientific research benefits from the GDPR’s research‑specific rules. The EDPB sets out six “key‑indicative factors”, which operate as a gatekeeping framework. These are:

•  methodological rigour
•  adherence to ethical standards
•  verifiability and transparency of results and research conduct
•  conduct of research activities autonomously and independently
•  objectives of the research, including contribution to society’s general knowledge and wellbeing (even where this also includes furthering commercial interests)
•  potential for research to contribute to existing scientific knowledge or to apply existing knowledge in novel ways.

For clinical trials and investigations, most of these criteria should generally be met as a result of regulatory constraints. For instance, clinical trials must have research objectives, must be conducted by a team of independent researchers, must be based on research plans and protocols which are reviewed by ethical committees and must follow a methodical approach, which is expected to generate new scientific knowledge.

Where these factors are not met, controllers must be able to substantiate, on a documented basis, why activities still qualify as scientific research.

2. Data reuse becomes easier, but not automatic

Further processing for scientific research is presumed compatible with the original purpose, facilitating data reuse. However, controllers must still establish lawfulness, identify an appropriate legal basis and apply Article 89 GDPR safeguards. Reuse benefits from facilitation, not exemption.

On top of the EDPB guidelines, the European Health Data Space (EHDS) will further facilitate the reuse of health data for research purposes, but subject to strict conditions (e.g., prior authorization by Health Data Access Bodies, data governance, opt-out option and data security rules).

3. Safeguards become the core control

Anonymisation and pseudonymisation are framed as default approaches, with direct identification permitted only where strictly necessary and proportionate. Safeguards are no longer merely mitigation measures but a precondition for benefiting from research-related flexibility.

Key practical takeaways

1. Consent must be designed, not merely obtained

Broad and dynamic consent models are recognised, but consent to "research in general" is insufficient without defined research areas and safeguards.

2. Broad consent creates ongoing obligations

Where broad consent is relied upon, controllers must, on an ongoing basis, assess whether projects remain within data subjects’ reasonable expectations as research evolves. If not, dynamic consent or a different legal basis is required.

Static consent models for evolving research programmes are therefore likely to come under supervisory pressure.

3. Transparency is expected to operate over time

The Guidelines emphasise ongoing transparency: webpages, updates, contact points or similar tools that allow participants to stay informed as mechanisms such as dedicated webpages, participant portals, layered notices and updates.

In practice, transparency operates as a compensating control for reduced specificity at the point of data collection.

4. Consent is not always the safest legal basis

The EDPB reiterates, especially for medical research involving patients, that consent may be inappropriate where there is imbalance, vulnerability, or where withdrawal would undermine the research itself. At the same time, it confirms that scientific research (including commercially funded research) can rely on legitimate interests as a legal basis, provided robust safeguards are in place.

For health data specifically, the EDPB confirms that reliance on legitimate interests under Article 6(1)(f) GDPR must be paired with an Article 9(2) derogation, and expressly identifies Article 53(1)(e) of the European Health Data Space Regulation as such a derogation under Article 9(2)(j) GDPR.

For healthcare and life sciences research in particular, the draft Guidelines also emphasise the need to distinguish between consent to participate in a scientific study (typically required under ethical or regulatory frameworks such as the Clinical Trials Regulation) and consent as a legal basis for the processing of personal data under the GDPR. The two serve different functions and are not interchangeable.

The interpretations offered by the draft Guidelines encourage organisations to treat legal basis selection as a strategic decision, not a default.

5. Governance will come under scrutiny

The draft Guidelines place governance at the core of compliance, spanning risk analysis, consent design, safeguard selection, transparency mechanisms and role allocation in multi‑party research. Supervisory authorities are likely to assess these elements as an integrated framework, rather than in isolation.

What to do next: likely practical outcomes

While the Guidelines remain under consultation, they already signal the direction of supervisory expectations and the practical changes for which organisations should prepare.

Five likely outcomes stand out:

1. Greater scrutiny of research classification

Controllers will be expected to demonstrate why a project qualifies as scientific research, rather than relying on the label alone.

2. Reduced tolerance for open‑ended consent

Consent framed vaguely around “future research” will be insufficient without clearly defined research areas and supporting governance.

3. Expectation of structured consent models

Programmes combining broad and dynamic consent are likely to be viewed more favourably than static, one-off approaches.

4. Transparency assessed as a control mechanism

Where consent is broad, ongoing transparency will operate as a key compensating control, enabling individuals to remain informed as research evolves.

5. Safeguards treated as baseline conditions

Anonymisation, pseudonymisation, secure research environments and access controls will be treated as prerequisites for benefiting from research‑related flexibility.

Conclusion

Even in its draft form, the Guidelines mark a shift towards more disciplined, evidence-based research governance. Their significance lies in the move toward harmonised standards and more consistent enforcement across the EU. Organisations that transition from fragmented compliance measures to integrated, programme-level operating models will be better positioned as data-intensive and AI-enabled research continues to expand. The practical priority for healthcare and life sciences organisations is to begin that transition now, before supervisory expectations crystallise into enforcement.