processing sensitive data and processing data for scientific research purposes, including derogations from data subject rights afforded under the GDPR when personal data are processed for scientific research purposes; and lastly, 6) two other important considerations, namely the ability to re-use previously collected personal data for research purposes (i.e. secondary use), and international data transfers. This article stresses that the GDPR undeniably represents an improvement from the predecessor legislation-the 1995 EU Data Protection Directive 5-as it provides both greater regulatory certainty and flexibility for scientific research. At the same time, it remains to be seen whether the new rules will be implemented across Europe in a harmonized way that delivers the clarity and certainty it promises, for researchers and research participants alike. It also remains to be seen whether the new law contributes to fostering cross-European and international trust in organizations that make use of personal data. The GDPR provides a disconcerting degree of latitude for national and EU-level specification in several areas, including scientific research. Because of the many areas where EU Member States "shall" and "may" carve out exceptions within the articles of the Regulation, Member States may pass national GDPR implementation laws (examples include the still-EU Member State United Kingdom, which has passed and implemented its Data Protection Act 2018, replacing the Data Protection Act 1998). 6 There is thus a potential for national divergence and regulatory fragmentation, undermining the very purpose of an EU Regulation, as I explain below. Further steps are needed therefore to guide researchers and support staff; improve regulatory harmonization; address a culture of caution relating to regulatory compliance; and enhance responsible data sharing for the purpose of facilitating progress in scientific research and medical discovery. This article, in addition to providing an overview of the GDPR for the uninitiated as it relates to health research, also offers a modest way through some of these sticking points. Brief history and nature of data protection law in Europe The European context Data protection law has a long history in Europe and the continent's political and cultural contexts, such as secret police surveillance in East Germany, help explain a long tradition of citizens and governments alike seeking to craft a status of non-interference in individuals' private lives; indeed, the first modern data protection laws in the world were passed in the early 1970s in Germany (Hesse Data Protection Act in 1970) and Sweden (Data Act in 1973). Unlike in countries such as the US or Canada, where the starting presumption in law is that processing personal data is lawful unless it is expressly forbidden, in Europe, processing personal data is prohibited unless there is a lawful basis that permits it. Moreover, data protection law in Europe is "omnibus," which is to say that, subject to a few exceptions such as personal d...