On 25 May 2018, the EU General Data Protection Regulation (GDPR) took full effect in law. Its impact on organizations around the world is both immediate and immense. After briefly outlining the nature of data protection law in Europe and the key changes in data protection law under the GDPR, I then offer a basis on which to assess the GDPR’s treatment of: 1) its territorial scope; 2) personal data; 3) conditions for processing “special categories” of personal data, including “genetic data” and “data concerning health”; 4) legal bases for processing personal data, including the role of consent in the research context; 5) processing sensitive data and processing data for scientific research purposes, including derogations from data subject rights afforded under the GDPR when personal data are processed for scientific research purposes; and lastly, 6) two other important considerations, namely the ability to re-use previously collected personal data for research purposes (i.e. secondary use), and international data transfers. This article stresses that the GDPR undeniably represents an improvement from the predecessor legislation – the 1995 EU Data Protection Directive – as it provides both greater regulatory certainty and flexibility for scientific research. At the same time, it remains to be seen whether the new rules will be implemented across Europe in a harmonized way that delivers the clarity and certainty it promises, for researchers and research participants alike. It also remains to be seen whether the new law contributes to fostering cross-European and international trust in organizations that make use of personal data. The GDPR provides a disconcerting degree of latitude for national and EU-level specification in several areas, including scientific research. There is thus a potential for national divergence and regulatory fragmentation, undermining the very purpose of an EU Regulation. Further steps are needed therefore to guide researchers and support staff; improve regulatory harmonization; address a culture of caution relating to regulatory compliance; and enhance responsible data sharing for the purpose of facilitating progress in scientific research and medical discovery. This article, in addition to providing an overview of the GDPR for the uninitiated as it relates to health research, also offers a modest way through some of these sticking points.