On the 25th of May 2018, the EU GDPR came into effect, setting out rules for the protection of personal data. This chapter introduces principles and practices related to data protection, including privacy and informed consent, based on the European legal framework of the GDPR as applied by WOREL in Belgium. Outside Europe, other regulations that are not covered in this chapter apply. Although the GDPR reflects standards from one regulatory setting, the guidance provided here is intended for use by individuals and organisations working across different countries and systems, particularly in the context of PPI in guideline development.

Projects with PPI often need to collect and process personal or health-related information from individuals with lived experience. The GDPR also includes the principle of accountability, meaning organisations must be able to demonstrate that appropriate data protection measures are in place. Regardless of where the project takes place, this information must be handled responsibly and ethically.

Data protection and privacy

Under the EU GDPR (Regulation (EU) 2016/679), all professionals and organisations working in a structured manner with personal information must demonstrate that adequate measures are in place to protect that data. Data protection is a specific way of safeguarding the broader right to privacy, particularly when personal data is collected or processed. So, this right should also be respected for all patients and public members who contribute to the guideline development process.

Data protection applies whenever personal data is collected, stored, or processed during PPI in guideline development. Data protection is needed when that data can be used to directly or indirectly identify an individual, and its application should always be adapted to the specific organisational or national context. For data protection principles relevant to guideline development activities, see the section on examples of guideline development activities in which data protection principles, including informed consent, apply.

The GDPR provides individuals with the following rights:

• The right to be informed about how one’s personal data is collected, used, shared and stored.
• The right to access one’s own personal data.
• The right to correct one’s data.
• The right to restrict the processing of one’s data.
• The right to withdraw consent or object to processing. Individuals may withdraw consent (or object where another lawful basis is used), which stops any further collection or use of their identifiable data. Data that have already been fully anonymised are no longer personal data and so may continue to be used.
• The right to object to automated decision-making and profiling.

These rights should be explained to the patient and public member before they start their involvement opportunity. An informed consent form with information on how these rights will be protected should be provided, if the involvement opportunity is part of a research project. If the project is being done outside a research context, the guideline developers should provide a patient information sheet with such information. Explain that if a person feels that their data has been used incorrectly, they may file a complaint with the supervisory authority.

Data protection and informed consent

Data protection is an ethical cornerstone and a quality-enhancing practice in for PPI guideline development. It respects the autonomy of individuals by allowing them to make fully informed decisions about their participation (Narkhede et al. 2025). When involving patients and public, obtaining informed consent strengthens the legitimacy and acceptance of the final product among the broader healthcare community (Nwebonyi et al. 2022). Transparent communication about the objectives, methodology or involvement opportunity, and use of their contributions fosters trust and prevents any sense of exploitation, particularly among vulnerable groups.

Patients and public members involved in guideline development groups are often invited to share deeply personal and sometimes distressing experiences, whether through testimonies, interviews, surveys, focus groups, or as members of guideline committees. These contributions may involve highly sensitive topics such as illness, treatment burdens, emotional distress, or impacts on relationships and dignity. Other personal characteristics such as gender, sexual orientation, disability, ethnicity or religion may also be shared. Patient and public members of guideline development groups might have their names included in guideline documents published online in a public domain. Without clear assurances about how their information will be handled, stored, and shared, participants may feel exposed or uncertain about speaking openly.

Strong data protection practices, including clarity about consent, confidentiality, and the possibility to withdraw contributions, help create psychological safety. When participants understand their rights and trust that their information will be treated with care, they are more likely to share openly and meaningfully.

Granting informed consent empowers participants by formally recognising their lived experience as a form of expertise. This shifts their role from passive informants to active partners in co-creation and fosters a sense of equality that is vital for genuine collaboration. (Narkhede et al. 2025; Sugino 2024; Xu et al. 2020.)

Beyond its ethical importance, informed consent also significantly improves the quality of the guidelines themselves. When contributors feel safe, respected and valued, they are more likely to share honest and meaningful experiences (Nwebonyi et al. 2022). In turn, we can assume that the final guidelines are more likely to be aligned with real-world needs.

Finally, incorporating informed consent reflects professional standards in guideline development, providing structure and clarity to working groups and aligning with widely accepted ethical principles. This emphasises that all knowledge creation, regardless of format, deserves respect and integrity. See the example Informed Consent Form used by WOREL in Resource 1.

Special considerations apply when guideline developers involve vulnerable groups, such as children and young people, people with severe mental health conditions, or people with learning disabilities. Developers will need to consult their local laws and legislation, for example, on mental capacity and Gillick competence.