Clinical trial subjects will have new privacy rights with the implementation of the EU’s upcoming data privacy regulation—GDPR. In general, the fact that life sciences companies are heavily regulated may, in some ways, create an advantage for preparations as they are responsible for complying with GxP, ANNEX 11, ISO, 21 CFR Part 11, and other such regulations, as well as enforcing operational standards via SOPs and quality management. However, life sciences companies are far from off-the-hook and should not take their preparedness for granted.
A Brief Overview of GDPR
In April 2016, the European Parliament approved the EU General Data Protection Regulation (GDPR) with a commencement date of May 25, 2018. This regulation will replace the Data Protection Directive 95/46/EC with the stated aim to “harmonize data privacy laws across the EU.” This is an effort to better protect the personal data of individuals within the EU and set a precedent for data privacy and security. The regulation provides policy around any data that can be used to directly or indirectly identify a person, such as their name, photos, email addresses, bank details, posts on social networking websites, medical information, or a computer IP address.
This new regulation has two primary focuses:
Protect and empower individuals with regard to data privacy; and
Reshape how organizations approach data privacy.
US life science companies will need to manage the reality that GDPR applies to their use of personal information that originated in the EU. The quantity and detail of personal data (like individual biometric readings, information about health history or current health, etc.) collected during a clinical trial makes it particularly important that companies prepare to comply. While these regulations originate in the EU, companies outside of the EU engaging in global business must prepare as the regulation “applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.” US companies who do business with EU residents will be directly subject to the GDPR, as their customers—be that research collaborators or contractors—exist under the protections of GDPR. These collaborators and contractors, such as CROs running clinical studies, are required to seek contractual commitments to help them achieve compliance with the GDPR.iv
The new regulation specifies several rights for data subjects as well as obligations for those handling personal data:
Intelligible Consent – This regulation set the expectation that it should be easy to understand how one’s data is collected, processed, retained, distributed, and destroyed, and that tricky legalese should pose no barrier to that understanding. In other words, agreements should be in plain language.
Right to Access – Another new expectation is the right to know if, where, and why data is being processed and the ability to request a copy of that information, free of charge.
Data Erasure “Right to be Forgotten” – At the height of Facebook’s troubles, this became particularly relevant. GDPR gives users the right to demand their data be completely eliminated from a system and that any usage and dissemination of data cease.
Data Portability – This sets the expectation that data a user has provided can be requested back and/or easily transferred to another organization (potentially a competing business).
Privacy by Design – GDPR impacts the way new systems are considered. Companies will be required to put in place appropriate technical and organizational measures to protect personal data. Furthermore, they must institutionally practice minimally necessary collection of data and limited data access.
Breach Notification – This may seem straight forward, but as we have seen, companies have not always historically provided reasonable notice of data breaches. The new regulation requires breach notification within 72 hours of determining that personal data may have been put at risk.
While the primary focuses of the regulation are important, it is equally important to understand who bears responsibility under GDPR. Organizations handling personal data must first understand their role in data management as defined by GDPR. There are two specific roles defined in the regulation (hint: sponsors will bear the ultimate weight of responsibility for Clinical Trial Subject Data):
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
The possible costs of non-compliance are significant: “Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million." This is what has been set as a maximum for worst cases of non-compliance, but the point stands that businesses are subject to losing a lot for not accommodating GDPR.
New Considerations for Sponsors
If your business operations put you in the seat of the controller, you are considered specifically liable for the handling of consumer data. Processors bear responsibility as well, but controllers have the lion’s share. As a user, if I no longer wish for a company to have my data, I would contact the controller (the sponsor). The controller is then responsible for making sure any processors that they work with cease the processing of my data and remove it from their servers.
As controllers, sponsors will need to be prepared to deal with these new subject rights. Specifically, the additional rights to “data erasure” and “data portability.”There are two specific implications to these regulatory changes:
Sponsors will need to be prepared to erase subject data upon request by the subject. There is complexity with navigating these requests as legacy systems and processes may not easily accommodate the precise location and removal of one person’s data.
Sponsors will need to be able to provide subjects with their data upon request in a common format. It is yet to be seen the impact of such requests on operations.
Compliance also becomes more dynamic as sponsors can appoint joint controllers, and CROs and investigators are liable as processors.
However, the bright side is that life sciences companies are likely compliant with GDPR expectations (at least to some extent). As Al-Karim Makhani (Vice President, Consulting & Information Governance at TransPerfect Legal) pointed out in a recent post, “A sensible approach to managing data is something many organizations have taken seriously for a long time. Whether or not they know it, hardly anyone is starting from the bottom.” In the same post, you can find six steps to a “a sensible, organic approach to GDPR” that takes advantage of your current systems and practices—rather than panicking and attempting to reinvent the wheel.
One such “sensible” practice that many life sciences companies tend to practice is privacy by design. This very practice helped with our ability to prepare for GDPR.
Privacy By Design
Many businesses function as both controllers and processors. At TransPerfect, we are considered processors for most of our products and services, including Life Sciences’ Trial Interactive e-clinical platform. We are proud to be aligned with these new regulations. After completing a full compliance assessment of our business practices and systems to identify any additional necessary safeguards, procedures, or improvements, we found that we required minimal technology updates to comply with GDPR. As a company, we had already established “privacy by design” principles, including limited collection and access, which was important for our ability to be ready to adapt to the new regulations. Security of data, being one of our founding principles of service, has always been central in the protection of data within our organization. GDPR reinforces this obligation to which we have always been committed.
Sharing in the GDPR Journey
Such fundamental changes to the global technology landscape create obvious stress and panic as companies struggle to make adjustments and strive to establish new best practices and navigate necessary system changes. However, the life sciences industry as a whole never leaves peers to take these challenges on alone. An exciting and important opportunity surrounding GDPR is a new context for organizations to come together to share their knowledge and strategies. As GDPR goes live at the end of May, there will be opportunities for companies to share their experiences responding to requests from subjects and/or inquiries from regulators. Much like the annual TMF Summits (and other such niche, topical events), where industry professionals get together to discuss all things TMF, there are—and will continue to be—forums discussing how organizations can thrive while complying with GDPR. The topic itself will lend itself to important conversations about the privacy of subjects and the role of life sciences companies in the ongoing global discussions about technology and individual privacy.
Get in touch with our GDPR experts if you need help getting your ducks in a row for GDPR compliance.