The EU’s new data protection law is going to have a great impact on companies worldwide, including those involved in clinical trials. Here’s what you have to know and how to act!
In May 2018, the European Union’s new data protection law, the General Data Protection Regulation (GDPR), is set to replace the current Data Protection Directive (DPD). Although this just sounds like a bunch of complicated words, it will actually have a wide-reaching effect on companies worldwide.
You may read this and wonder why you should care. Well, if your company handles personal data of any sort, then you will likely be affected. One of the sectors hit especially hard by the new changes to the data protection law is the drug development industry. Namely, anyone who is involved in a clinical trial, from sponsors and investigators to CROs and vendors.
Starting in Spring next year, companies will be facing a long list of changes that they have to follow in order to comply with the GDPR. In light of looming, strict penalties, companies will be forced to observe the EU’s new law. But how to find a way through the labyrinth of rules and regulations?
We have caught up with Joshua Merkel, Manager of Information Assurance at SynteractHCR, a global contract research organization specialising in clinical development services. Unsurprisingly, SynteractHCR is one of those companies most affected by the GDPR, and it has inevitably begun strengthening its Data Privacy Program to comply with the new data protection regulations.
We have asked Joshua to define the GDPR for us, explain the differences between the old data protection law and the GDPR, and describe the impact it will have on anyone involved in clinical trials.
Joshua, can you give us a short introduction to the GDPR and its implications for data protection?
The GDPR is set to come into effect on May 25th, 2018, and is aimed at improving the existing Data Protection Directive (DPD) by fixing the fragmented implementation of data privacy laws amongst EU member states, and setting forth a robust common baseline for all countries to follow.
The GDPR will apply to organizations all over the world, not just those located in the EU, including those in the drug development industry. Companies will be confronted with a tremendous amount of changes, much more than what is was currently required under the DPD.
For example, the GDPR increases the scope of the DPD and also adds entirely new and substantial compliance requirements and individual rights. Organizations need to be working towards GDPR compliance now, not next May.
With the introduction of the GDPR, the global drug development industry will be confronted with a long list of changes. What are they?
There are a number of key changes I would like to point out here. I have already mentioned the increased scope of the GDPR compared to the DPD, and one very significant change in scope is how the GDPR defines “personal data.”
Like the DPD, the GDPR governs the processing of any information that identifies or could be used to identify a natural person. Common examples of personal data under the DPD include names, addresses, social security numbers, dates of birth, and bank account details.
In addition to that – and almost anything else you can think of that relates to a person’s identification – the GDPR now also covers location information, genetic data, and IP-addresses. A broader definition means the GDPR will have a further reach than the DPD.
Another significant change in scope brought by the GDPR is included in the tightening of “transparency” regulations. Transparency is a core principle to data privacy protection practices.
It requires that organizations ensure that those individuals whom they are collecting information from understand in very clear terms how their data is used and protected, what it is used for and where it might be transferred to. Transparency ensures that the organization properly obtains an individual’s consent prior to collecting any data. Consequently, these new transparency regulations will require a complete reevaluation of businesses’ transparency practices.
Under the GDPR individuals’ rights are expanded. Currently, the DPD includes the individual rights of access, rectification, erasure, objection, and the right not to be subject to automated processing decisions. The GPDR enumerates all of these rights, expands on almost all of them, and introduces new ones. The only right that is largely unchanged with the GPDR is the individual right of rectification, which allows individuals to correct, update, and amend the data an organization processes about that individual.
The right to access under the GDPR is expanded. It allows individuals the ability to confirm whether or not an organizations is processing that individual’s data, and if so, what types of data is processed. Individuals must now also be provided with more information in connection with a data access request, such as the data retention period, and the right to complain to a data protection authority.
The right to erasure is also expanded. Under the GPDR, individuals can request their data be erased when such data is no longer needed for its original purpose, when an individual withdraws their consent, and when erasure is necessary for compliance with EU or Member State law.
In addition, the right to object to processing is augmented by the GDPR. Unlike the DPD, an organization must cease the objectionable processing unless a compelling legitimate interest exists or if the processing is needed to establish or defend against legal claims.
The right not to be evaluated solely on the basis of automated processing is also updated to require that, as a prerequisite to automated processing, the individual provides explicit consent and the organization has appropriate safeguards in place governing automated processing.
The GDPR also introduces a few new rights – data portability and restriction of processing. Data portability allows individuals to receive a copy of their personal data and to have it transmitted to other organizations. Restrictions on processing gives individuals the right to force organizations to limit the use of their data in certain circumstances.
The GDPR also sets new requirements for so-called controllers and processors. Who do these terms define and what are their new regulations?
Controllers and processors are organizations that are directly subjected to the GDPR. A controller is an entity that dictates the manner in which personal data is handled. Processors, on the other hand, process the data according to the instructions set by the controller. It’s akin to a contractor-subcontractor relationship, and it’s certainly possible for an organization to be acting as both a controller and a processor.
Controllers have been allocated their own set of requirements by the GDPR. One is the idea of accountability. Under the GDPR the demonstration of compliance accountability has become an enumerated legal requirement. This requires controllers to implement technical and organizational measures that illustrate GDPR-compliant processing activities.
Additionally, the GDPR has codified the privacy by design approach to data privacy. Privacy by Design stands for the principle that data privacy has to be a default part of business operations. A company is now expected to embed data privacy into all business processes and functionalities.
Another mandatory regulation for controllers is the data breach reporting requirement: A controller has 72 hours to notify authorities of a data breach. This is a very short time period to confirm the breach or investigate the cause, and adds a lot of pressure and urgency. It’s frankly a very tight timeline for controllers to comply with.
Under the GDPR, controllers and processors are required to have specifically-worded contracts governing their relationships. They are required to set up strict data protection agreements that, compared to the existing DPD regime, will make the relationships along the supply chain more complex.
In summary, the GDPR requires controllers to specifically demonstrate accountability with its requirements, adds privacy by design obligations, and includes highly time sensitive breach reporting requirements. Together, they substantially increase the resources devoted to an organization’s data privacy program.
Turning to Processors, the GDPR makes them directly liable to individuals for instances of non-compliance, which greatly increases their risk profile. Further, if a processor deviates from the controller’s explicit processing instructions, the law will treat that processor as a controller, thereby holding him accountable for all controller-specific GDPR obligations.
This means that processors have to be very careful in how they process data because they may unknowingly increase their liability under the GDPR, and penalties are extremely high.
Speaking of high penalties… What are they?
Well, some actually see the penalty structure as the biggest change under the GDPR. If a company is non-compliant, there is a potential of fines that equal the greater of €20 million (approx. $24 million), or 4% of an organizations worldwide revenue. Of course, this makes it necessary for organizations to spend money on GDPR compliance and data processing plans .
On the topic of money, preparing your organization for GDPR compliance is going to be a resource-intensive process. It is going to greatly impact the budget of organizations subjected to it.
Not only does it mean getting up to speed with the GDPR, but companies may also be required to appoint a data protection officer (DPO), may have to hire outside consultants or legal counsellors, will likely have to add more data privacy experts to their staff, and will have to create or overhaul existing training and awareness programs. All this will have costs associated with it.
You have touched on the effects of the GDPR on organizations. What will it mean for anyone – sponsors, CROs, vendors – involved in clinical trials? Is there a difference between Europe and the US?
The EU sees privacy as a fundamental human right and personal information is therefore highly protected. The US doesn’t have a consistent approach to data protection, like the EU has. With its increased global reach, the GDPR now forces organizations to comply with this EU standard.
That means that the GDPR will apply equally to all organizations subjected to it, regardless of where they are located in the world. GDPR compliance activities will vary depending upon whether you are a controller or a processor, as the law carves out specific requirements for each, not necessarily based on the organization’s location.
Generally speaking, sponsors and investigators in a clinical trial will most likely be the controllers because they are the ones that collect personal data directly from the trial participants, whereas CROs and vendors are most likely going to be the processors to the extent they process the trial data on the sponsor’s or investigator’s behalf. This, however, is not a hard and fast rule.
In this context, it is vital for everyone involved to be sure of their role at the beginning of a clinical trial. Agreements between controllers and processors have to be drafted, be made compliant with the GDPR requirements, and seen by an attorney or expert.
As important, you have to know the flow of data: Where is it going? Is it going to other countries? Where is it stored and on what kind of system? Organizations have to understand the varying degrees of sensitivity and the type of data – participants’ names, addresses, dates of birth etc. – that will be processed. They have to prove that personal data is protected in every possible way.
Finally, Global organizations, such as those involved in clinical trials, now have to integrate GDPR compliance with existing data privacy programs that may be based on other countries’ data protection regulations. The GDPR has to be woven into an organization’s global regulatory framework, such as Asia-Pacific laws or the US State-specific laws, and even the Member State-specific data handling laws.
If a CRO is involved in an exclusively American trial, the GDPR is not triggered. Could this mean that CROs will turn their backs on Europe and focus on the US instead?
No, I don’t really see that happening. Many CROs are already doing business in the EU or with EU citizens and it doesn’t make sense for them to abandon that piece of their business. In an ideal world, these organizations should already have some form of DPD-compliant data privacy program in place, so they should be able to just expand on those programs that are already set in place.
Expanding an existing program to be GDPR compliant is by no means an easy thing to do, but it’s easier than starting from scratch. Having said that, there are certainly CROs that operate solely in the US. And I can see the GDPR as a bar stopping those organisations from expanding internationally.
Keeping up with the GDPR will definitely be an advantage, as you will also be keeping up with global players. It will eventually gain more market share. Data privacy and data privacy protection is somewhat new in certain countries, like the US, and it will go on to grow in importance, on a global scale.
SynteractHCR is clearly taking it’s GDPR obligations very seriously. As an international CRO that runs global clinical trials, it realizes that the proper handling of personal data is of course a legal requirement AND of utmost importance in protecting its customers, patients and employees who dedicate themselves to maintaining the integrity of the clinical trial process. Want to know more about SynteractHCR? Check out their website here!
Images via Photon photo, jijomathaidesigners, Wetzkaz Graphics, kb-photodesign, Tashatuvango, Ewais, Rob Wilson, v.schlichting/Shutterstock and SynteractHCR