On May 25th, 2018, the EU General Data Protection Regulation (GDPR) came into effect. The regulation has had huge implications for data management and data security, not just in Europe, but globally. For those of us working in clinical trials dealing with patient data every day, there are some important new rules to comply with.
What is GDPR?
The new regulations, replacing the original EU Data Privacy Directive (EU 95/46/EC), are to protect persons with data collected in Europe or by business entities in Europe from privacy violations and data breaches in today’s data-driven world. With that goal in mind, there were several key changes relative to the previous privacy directive:
Extended jurisdiction: GDPR aims to standardize and strengthen the protection of personal data across the EU and for other country’s data being “processed” within the EU. It applies to all companies processing personal data in the Union or personal data of citizens of the Union, regardless of the company’s location. So GDPR is important for everyone to take note of, not only those based in Europe.
Data subject rights: there have been extensive changes to the rights of individuals when it comes to their data. These include:
1) the right to obtain confirmation as to which personal data concerning them is being processed, where, for what purpose and to whom it is being transferred.
2) to be provided with a copy of the personal data, free of charge, in a transferrable electronic format (to allow potential change of provider).
3) to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing/transferring of the data.
Strengthened consent: consent processes must now be much clearer and explicit opt-in, requiring obvious affirmation from the individual on data processing and it must easy for them to withdraw this consent.
How Do the Changes in GDPR Affect Clinical Trials?
Under GDPR, as a clinical trial provider, you are both a processer in terms of patient data with a sponsor being the controller, but also a controller of data of your personnel, customers and sub-contractors. However, clinical trial data is considered a “special” data category which have stricter limitation in being processed, at all. In terms of clinical trials, at least the cause or processing is legit as processing of medical data is necessary for scientific or research purposes.
Performing clinical trials requires following according acts and regulations. Those regulations may contradict the GDPR. With the GDPR being a baseline regulation, regulations of other acts supersede regulations of the GDPR. The demand of having patient data deleted on the patients request typically must not be fulfilled for pharmacy laws deny deletion of patient data to avoid fraud. Patient data may be locked on the patients request or be excluded from scientific processing, but it must typically not be deleted if the trial product requires admission by authorities.
Another important component is the strengthened consent process. For the clinical trials industry, well versed in the importance of clear and informed consent, this is not particularly new. However, under GDPR all companies must use legible terms and have removed legal language from data privacy consent processes. It must become clear that not only the patient is participating in a trial, but that the patient explicitly consents to the collected data being processed, typically by an additional checkbox.
This will be easy for trials happening now, but GDPR requires data protection impact assessments for big projects and clinical programs which may include ongoing studies or trials consented in the past. The long-term storage of participant data from past trials has been cited as a challenge in interpreting and implementing GDPR, as the new regulation states that data cannot be stored indefinitely, which conflicts with regulatory authority requirements for data retention.
Another important aspect is the concept of pseudonymization, which is defined in GDPR as “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information.” In the clinical trial context, this means that any pseudonymized data that could still be attributed to a trial participant using other information will still be considered personal data. It will be essential to distinguish pseudonymization from anonymization in clinical trial protocols, as only anonymization will ensure that the data is no longer considered to be personal data.
How Can You Stay GDPR Compliant?
In spite of the general apprehension of the GDPR, most of the rules indicated above were in places since 1996. This includes data security, pseudonymization and patient rights. Only by the GDPR the burden of prove was inversed. Before, subjects had to prove that a data processor broke rules. Now, the data processor has to prove that the processing was legal. All the documentation required for over 20 years now can be crucial for avoiding legal consequences.
The penalties for being in breach of GDPR are hefty; organizations can be fined up to 4% of their annual global turnover or €20 Million (whichever is greater).
It will be essential for clinical trial providers to carry out data impact assessments, for both electronic and hard copy data. These must identify the data that is being processed, where it is transferred to, who processes the data, what it used for, any risks and processes, ensuring all employees are trained in GDPR-compliant data management and what action will be taken in the event of a breach.
Sponsors and CROs may also be expected to have a Data Protection Officer in place —a named person within the company, who acts as the interface between subject, data protection authorities, and the company in the case of any complaints or data breaches. According to GDPR, data protection officer appointment “is mandatory only for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale”, which is likely to be the case for clinical trial providers.
- GDPR does not only affect companies based in the EU, but anyone processing person related data in or from the EU
- The individual rights of people with regards to their data were strengthened significantly – with focus on active consent to give data, making it easy to withdraw that consent and data portability
- However, clinical trial data is regulated in other acts and not all of these new GDPR subject rights apply
- The consent process is tougher, and this could pose challenges for ongoing historic trials
- Trials must clearly distinguish between pseudonymized and anonymized data.
- Carrying our data impact assessments resulting on process documentation and having a Data Protection Officer in place is recommended and may even be mandatory for your company