This won’t be the first time, nor the last that you read about the European Union’s new data protection law, the GDPR. You might even be annoyed by the amount of emails you have received lately, but the importance of complying with the GDPR cannot be emphasized enough. This also holds true for non-EU life science companies working with EU residents’ data.
As an Asian or American life science company there are a few key aspects concerning the GDPR you cannot ignore. To explain these points to you properly, we have caught up with a GDPR expert who works exclusively with life science companies, such as biotechs, pharmas, medtechs and CROs, to help them become GDPR compliant. Lately, he has hada lot to do.
Just a reminder: What is the GDPR?
Gautier Sobczak is the Co-Founder and Head of Business Development at MyData-TRUST. He has told us all about the key aspects that non-EU life science companies have to consider when working with EU residents’ data. Two main points have to be implemented immediately. But first, let us quickly recap:
After taking effect in May of this year, the EU’s General Data Protection Regulation (GDPR) has got many companies on tenterhooks. For life science companies, the new regulation means that patient information needs to be handled with extra care, as it is considered critical data that can greatly impact the private life of an individual and poses an increased risk to their freedom and rights.
It’s now or never!
So while EU member states have been head over heels in GDPR preparations – getting their communication about data collection processes up to scratch, implementing new tools, and educating their staff on data protection activities – non-EU companies might have been caught off guard.
“It’s not too late to become GDPR compliant,” Gautier emphasizes. “EU data protection authorities will be tolerant until the end of the year. Until then, non-EU companies need to be GDPR compliant if they work with EU residents’ data, and the first thing they need to do is to appoint a data protection representative, a DPR. And if they handle health data, perform large scale treatments or have more than 250 employees, they also need a data protection officer, a DPO.”
These two key figures are needed by every non-EU life science company that works with sensitive data of EU residents – whether this includes the collection of data, processing of data as a partner or the use of pseudonymized data in clinical trials.
Appointing a data protection representative
The data protection representative (DPR), mentioned in Article 27 of the GDPR, is a legal entity that has to be based in one of the EU members states in which the data of subjects is being collected. A DPR is therefore not an individual person, but rather a EU-based company, such as MyData-TRUST, that represents non-EU life science companies across the EU territory.
The representative has to be available to both the local data protection authorities and data subjects (mainly patients), given that these individuals and supervisory authorities desire someone nearby who speaks their language and understands their customs and expectations.
“The appointment of a DPR by a company should be done without prejudice to legal action that could be initiated against it,” Gautier explains. In other words, the DPR is in no way responsible for data protection breaches, and a company bears full responsibility for its actions and how it they handles the data of EU residents.
Appointing a data protection officer
Whereas the DPR is a legal entity responsible for communications with EU data protection authorities and data subjects, the data protection officer (DPO) is a clearly identified physical person. The nomination of a DPO becomes obligatory when a company uses sensitive data or conducts clinical trials within the EU.
As it is often hard for companies to find and employ a full-time DPO, this function can be externalized. The externalization of the DPO allows companies to find a person dedicated to them with all the skills required to perform the function. Therefore, the DPO could be a life science, IT, and legal expert.
“The DPO is the data protection guardian of a company with the responsibility of educating the company and its employees about data privacy,” Gautier continues. “A DPO conducts internal and external audits, fulfills monitoring duties, advises on data protection efforts, maintains records of data processing activities, implements the GDPR internally and ensures GDPR compliance.”
An important message
Although it isn’t mandatory for companies to place a DPO inside the EU, MyData-TRUST recently received a tip-off from the French authorities, who recommend the distribution of local points-of-contact within EU countries.
A life science company conducting a clinical trial in different EU member states, for instance, would be advised to implement a network of people who can ensure that the DPO can answer potential questions of data subjects, or patients, in their own language, be present in the same time zone and understand their culture.
“This means that if you conduct a clinical study in, for example, Spain, France and Germany, you should have either local points-of-contact who are able to answer questions in the respective languages – Spanish, French and German – or a DPO speaking these three languages,” Gautier explains.
Do these three important steps
Companies outside of the EU need to consider several steps in order to become GDPR compliant. The first three steps to be put in place immediately are: performing a gap analysis, designating a DPO and appointing a DPR.
“The first step, is to perform a gap analysis, which among other points, covers registration forms on websites, emailing lists or data linked to clinical trials,” says Gautier. Generally, a gap analysis enables a company to identify all the different processes in which the personal data of EU residents is being used or collected, as well as revealing the data flow for each process.
“When appointing a DPO, try to find someone able to understand the legal environment and data protection regulations,” Gautier emphasizes. “Then appoint your DPR. Find an expert structure that can support you in your communication with data protection authorities and patients, for example MyData-TRUST. We are experts in clinical trials and therefore know how to answer inquiries from the EU authorities.”
A few more things to remember
Next, companies should create records of their data processing activities; perform data protection assessments on each clinical trial; assess their providers; review contracts and informed consents of patients to make sure that all rights are met; and create and update procedures to ensure that they cover data privacy regulations.
“The last step includes putting in place a data breach-strategy, which we strongly recommend,” says Gautier. A data breach-strategy allows companies to assess where a breach might have happened within a data flow process, and when to contact the authorities, and, if necessary, the patients.
“In addition to a data breach-strategy, I would also recommend putting in place a data privacy policy and a rights of subject policy. This means that if a patient contacts you, you know what to do,” Gautier concludes.
Even as a non-EU company, GDPR compliance is necessary if you are collecting or using sensitive data of EU residents, for example in clinical trials or health software solutions. The team at MyData-TRUST are experts in the life sciences field. Let them help you become GDPR compliant and allow them to lead you through the muddle of new data protection regulations set by the EU!
If you are interested in discovering more about the GDPR and what it means for life sciences companies worldwide, check out MyData-TRUST’s first article with us here!
Images via polygraphus, suns07butterfly, Wright Studio, SB_photos, Maksim Kabakou, JARIRIYAWAT, Rawpixel.com/ Shutterstock.com