General Data Protection Regulation (GDPR)
Authors: Victor Paul Neamt, Bertrand Le Bourgeois, Ian Pinto on behalf and for the ACDM
Date: May 2018
The regulation EU 2016/679 of the European Parliament and of the Council of 27April16 is in place to protect individuals with regard to the processing of their personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation” or “GDPR”). The EU GDPR law comes into force on 25 May 2018.
The GDPR Regulation applies by default as a law to all 28 EU countries. It has been developed by collaboration of the 28 local Data Protection Agencies, combining 40 years of experience of personal data protection regulation and laws in Europe: see genesis diagram below.
Who does GDPR affect?
The EU GDPR lawwill apply to all companies who are collecting or processing personal data from EU residents. This applies to companies based in the EU, but also to companies based outside EU.
Data protection is everyone’s responsibility and it applies to the processing of personal data, wholly or partly by automated means, in the context of the activities of a company in the EU, regardless of whether the processing takes place in or outside the EU.
In some instances, GDPR also applies to companies not established in the EU but only if they are processing personal data of subjects who are in the EU.
The GDPR law distinguishes 2 roles: the organisation who mandates the data collection is called the Data Controller (e.g. the sponsor in the case of a clinical trial). The subcontracting companies are called ‘Data Processors’ (e.g. the Hospital/Clinical site, CROs, the software companies, the IT hosting company).
In the Application to Clinical Trials
All clinical trial activity that involves any personal data from the time of initial consent to the destruction of source documents including clinical trials performed on EU study subjects are in scope, as well as any activity performed by Contract Research Organisations (CROs) or vendors established within the EU on non-EU study subjects.
Even if anonymized, patients’ personal data is considered by the EU and DPAs as ‘Pseudonymised’and as such are subject to the GDPR: the reason is that they consider it is impossible to guarantee that a patient could not be identified.
Companies that fail to meet the stricter requirements could be fined up to €20.000.000 or 4% of their global annual turnover, whichever is higher, and suffer reputational damage.
The regulation will apply from 25 May 2018 and will provide individuals with increased legal protection. Currently 31 countries are in scope, which includes 28 EU member states along with Iceland, Liechtenstein and Norway, members of the European Economic Area. As a response to the GDPR, a number of countries are also expected to adopt legislation that is substantially similar in scope and level of protection, most notably Switzerland.
Protecting individuals’ rights
Companies need to adopt relevant procedures to respond to data subjects’ requests and to ensure that natural person’s rights are respected. They will need to ensure they have the capabilities to effectively give course to data subject requests, including measures which permit to easily identify, erase, or transmit data belonging to a particular individual.
Comparison with local Data Protection Agencies (DPAs)
All stakeholders of the value chain are legally responsible in case of a data breach: whereas before it was only the sponsor organisation of a clinical trial, now CROs and all other contractors share the liability.
The new requirements are mainly:
- To author a register of personal data processes
- If sensitive data* are processed, the Data Controller needs to make a Data Protection Impact Analysis with the different subcontractors
- Patient consents need to be more detailed than they used to be; for example, the different stakeholders of a clinical trial / observational study need to be mentioned; this means that if one of the sub-contractors changes during the duration of the trial, patients and investigators need to be informed and their consent needs to be obtained again
- A severe data breach needs to be transmitted to the local DPA within 3 days, and of course also signalled to the patients and the subcontractors if relevant
- A data subject request for information needs to be answered within one month, in local language; if not, the data subject can file a complaint with the DPA or the local justice authority
- Data transfers outside EU need to be controlled; the control procedures will depend if the destination country is one of the 11 Adequate Countries** or not
- Each company manipulating sensitive data, or with a high volume of data should appoint a Data Protection Officer (DPO) (see description of the role and qualification of the DPO at the end of this article)
(*) Sensitive data: personal data about health, religion, ethnicity, trade unions, politics, data from children, elderly persons or vulnerable persons.
(**) Adequate countries as of 26 March 2018: Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (limited to the Privacy Shield framework)
What if I am an SMB company?
We acknowledge that this new law can be quite cumbersome for SMB organizations. Several DPAs have developed a special approach for them, see the ICO and CNIL’s websites at the end of this article. The GDPR authorizes organisations to choose an external part-time consultant as a DPO.
Setting up a processing operation
While setting up a clinical trial or any other complex processing operation involving external parties, the appropriate contractual relationships need to be implemented. When executing such relationships, organisations will need to ensure that all of their contracts contain the provisions requested by the GDPR.
Organisational Technical Measures and Responsibilities
It is the responsibility of organisations to ensure that data in systems are secure and that ongoing confidentiality and integrity are maintained using measures such as anonymization and encryption. Systems need to be resilient and able to restore data in case of incidents with procedures for ongoing monitoring of security.
The responsibilities of organisations include the reporting of any data breaches without delay to any individuals affected unless the data breach is assessed as unlikely to result in a risk to the rights and freedoms of individuals.
Data Protection is Everyone’s Responsibility, So What Can You Do?
The GDPR is based on a flexible, risk-based approach towards data security. Each organisation will need to adapt procedures in line with its operations, and choose those security measures best suited for its activity. However, the following should be valid for most organisations:
Ensure measures that limit and log access to archives/places where files containing personal data are stored (physical access control).
Ensure that permission to access the company’s system is done in a controlled manner, limiting access for those that need that information to perform their tasks (logical access control).
Only use equipment that can provide an adequate level of security (e.g. encrypt laptop hard drives so the data cannot be read in case of theft/loss.
Control how users are utilizing their devices (workstation management) – limit users’ permission to install or remove software.
Set up surveillance measures for your facilities.
Ensure appropriate back-up is available for systems and workstations.
Limit or eliminate the use of removable storage devices
Install appropriate antivirus and anti-malware software on all workstations and enable auto-updating by default
Ensure your desk is clear of personal information and lock unattended devices
Use strong and unique passwords for each system or application you use
Dispose of documents with personal data in an appropriate way e.g. shredding
Use only encrypted, removable devices for temporary storage
Keep your whiteboards clean from personal data and securely store flip chart notes
Ensure your laptop is encrypted and has adequate anti-virus
Evaluate your surroundings before you discuss sensitive / personal information
Lock all devices when left unattended or bring them with you
Report all suspected non-digital privacy incidents
Report all suspected digital security / privacy incidents
The GDPR imposes a duty of accountability on organisations processing personal data. Compliance with the regulation needs to be documented. Records kept by companies will need to demonstrate that all of the processing operations comply with the GDPR’s legal requirements, as well as show the technical and organisational measures adopted by the company in order to ensure the adequate level of protection for the personal data.
For processing operations that involve a certain degree of danger, as the GDPR describes it when the processing operation “is likely to result in a high risk to the rights and freedoms of individuals”, a written impact assessment, called a Data Protection Impact Assessment” needs to be performed and made available to the authorities upon demand.
Role of the Data Protection Officer (DPO)
In a nutshell, the DPO is an independent person who handles the information requests coming from data subjects, manages relationships with the DPAs, and makes sure the company is always up to date on GDPR compliance.
The DPO should not take part in personal data processing, so that they can guarantee they act as an independent external auditor.
DPOs should have 3 key capabilities covering:
1) data management/data privacy/IT
2) industry regulations, quality assurance and audit
3) the companies’ business
As an example, in the pharma industry, it is key that the DPO understands the interconnected relationships between the EMA, local regulatory body, DPAs, sponsor, CRO, clinical site, scientific associations, etc. For the same reason, it is key that this person is aware of the various industry regulations and guidance: GXP, GAMP, ICH, etc. The DPO doesn’t need to be an expert in each of these fields, he rather needs to be able to understand the matters and be able to discuss with experts.
One key success factor is that the DPO has experience in conducting audits.
The most important things you need to do is, as stated by the DPAs is to get trained on GDPR, perform a gap analysis to identify your key processes to identify the scope of what needs to be done, initiate the development of a register of processes, and start writing the first DPIA. You will also need to ensure a DPO is identified if not already, and declare them to your relevant DPA. Remember also to indicate the DPO email address on your website, contracts and key documents.