The ICO exists to empower you through information.

This guidance discusses the research provisions in the UK GDPR and the DPA 2018 in detail. It is aimed at DPOs and those with specific data protection responsibilities in organisations undertaking research, archiving or processing for statistical purposes.

It provides guidance on how these provisions work and sets out our understanding of the provisions’ key terms.

It explains how the provisions relate to the data protection principles and grounds for processing. It also details the exemptions set out in the provisions. It summarises the key points you need to know and answers frequently asked questions.

In places, the guidance provides examples to illustrate how a specific provision might apply. These are not fully-worked case studies and do not address every aspect of regulatory compliance that organisations are subject to.

Many research projects are very complex, involving multiple organisations often in different countries. It is likely that you are subject to a range of regulatory requirements, depending on your sector and your type of research-related activity. This guidance does not cover all of these issues.

This guidance focusses specifically on the use of the research provisions. We are not presenting this guidance as a comprehensive guide to data protection compliance for researchers. You should therefore read this guidance in conjunction with other ICO guidance, as well as sectoral guidance if available.

For broader guidance on data protection compliance, see our Guide to Data Protection.

Further reading - responses to the ICO's consultation

In February 2022, we launched a public consultation on the draft detailed guidance on the research provisions in the UK GDPR and the DPA 2018. You can read a summary of responses to the consultation and the ICO's comments here.


About this guidance on the research provisions 

What is research-related processing?

Principles and grounds for processing 


What are the appropriate safeguards?