The EU General Data Protection Regulation is the most important change in data privacy regulation in 20 years.
The European Union (EU) General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years. The regulations can be enforced from May 25, 2018, at which time any organization which does not comply may face heavy fines. The GDPR (Regulation (EU) 2016/679) replaces the Data Protection Directive 95/46/EC, designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy, and to reshape the way organizations across the region approach data privacy.1
Certain key changes fall under different categories (see The GDPR key changes web page for further clarification2) but in summary it covers:
· Increased Territorial Scope (extra-territorial applicability)
· Significant Penalties
· Data Subject Rights
o Prior Consent
o Transparent plain language
o Breach Notification
o Right to Access
o Right of Correction
o Right of Restriction
o Right to Object
o Right to be Forgotten
o Data Portability
· Privacy by Design
· Data Impact Assessments
· New Data Protection Officers
The aim of the GDPR is to standardize and strengthen the protection of personal data across the EU and for other country’s data being “processed” within the EU. As such, this is an issue for all to take note, not just those based in Europe. Under the new regulations, all company processing of the personal data of subjects residing in the Union must comply, regardless of the company’s other global locations.
How will it impact the clinical trials industry?
The increasing use of the internet, electronic records, and the advancement of clinical trial technologies enabling the collection and use of data, has no doubt played a part in the need for new regulations. Big data is becoming increasingly important in clinical research, which also poses new challenges for data security and privacy.
Clinical trial data is considered a “special” data category whereby processing is necessary for scientific or research purposes. The data subject gives their explicit consent for the collection of these categories of data.3 When a volunteer, patient, or subject signs the informed consent it will clearly state what data is being collected and why. This special data category negates the subject’s right to erasure, or portability which makes sense as clinical data cannot be removed from the dataset without an audit trail as well as that changing the statistical trial outcome. Subjects can only leave a trial to prevent additional data collection.
The GDPR aims to strengthen the rights of individuals to be better informed about how their data is to be used and sets out clearer responsibilities and obligations on healthcare professionals and companies using such data. Transparency, security, and the accountability of Data Controllers is paramount. Clinical trial providers must identify the data that is being processed, where it is transferred to, who processes the data, what it used for, any risks and processes, and ensure all employees are trained.
Many of the responsibilities and obligations defined by GDPR are not new for companies in the Clinical Research sector, including that of consent. Within GDPR, the conditions for consent have been strengthened-most notable is that any request for consent must be given in a clear, intelligible, and easily accessible form, with the purpose for data processing attached to that consent. Consent must be distinguishable from other matters and use plain language. It must be as easy to withdraw consent as it is to give it. The clinical trial world already lives and breathes by informed consent. Going forward, however, clinical trial organizations must ensure that any informed consent document clearly states the intended logistics of any data collected.
Operational Change
For clinical trial providers, the new regulations not only cover those participating in clinical trials, but also employees, customers, and subcontractors. A clinical trial provider is a processer from a customer perspective but also a controller of data in terms of personnel, sales, and sub-contractors. As a consequence, clinical trial companies have obligations to make sure that rules are in place and followed.
For clinical trial operators, data impact assessments will be crucial, for both electronic and hard copy data. Comparable to risk assessments for a data stream, it should cover what the data is used for, how it is managed, and what action is needed. There is also a defined role within the GDPR called the Data Protection Officer-a named person within the organization, registered with the data protection authorities in specific territories. This individual acts as the interface between organizations and the company and would be involved if there are any data breaches.
Another crucial part of the GDPR for clinical trials is the concept of pseudonymization and anonymization. The GDPR defines pseudonymization as “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information.” Therefore, any pseudonymized data that could still be attributed to a trial participant using other information will be considered personal data. The terms should be distinguished in trial protocols, as only the anonymization of data will ensure that the data is no longer considered to be personal data.4
Time to Act
There will be no transitional period--now is the time for pharmaceutical companies and CROs to ensure that future clinical trials are compliant and avoid any requirement to make retrospective amendments to consent forms and other clinical trial documentation. Companies need to ensure that their internal policies are aligned with the regulations defined in GDPR and have a plan ready. Only a small percentage of companies are ready for GDPR and with significant penalties for non-compliance, let alone the cost and impact on trial progress, it is essential to identify trusted partners to ensure clinical trials are executed to the latest regulatory standards and the highest quality.
References
2. https://www.eugdpr.org/key-changes.html
Greg Gogates is the VP of Quality and Regulatory at CRF Health (https://www.crfhealth.com/GDPR)