Since it took effect May 25, 2018, the European Union’s General Data Protection Regulation has been reshaping the way data is handled across every industry sector, including clinical research. The objective of the GDPR is to strengthen and standardize the protection of personal data across the EU, including ex-EU data that is processed within the union.[1] While the regulation is intended to cover the data of individuals within the EU, entities outside Europe — including contract research organizations — may still be impacted by the new requirements if they handle EU personal data.
GDPR contains a number of articles that present unique challenges to the pharmaceutical clinical trials industry. Unfortunately, there is no industry-specific guidance on the GDPR compliance for CROs and no case law to guide CROs on official interpretation. In this blog series, we focus on defining the regulation, on key aspects of GDPR that are relevant to clinical trial professionals, and on providing insight on how CROs can achieve compliance in data handling throughout the clinical trial process.
Overview of the GDPR
The GDPR defines personal data as any information that relates to an identified or identifiable living individual. This data includes identifiers such as IP addresses, genetic data, and biometric data. Moreover, pieces of information that can lead to the identification of a particular person when collected together also constitute personal data.[2]
Compared to the Data Protection Directive 95/46/EC, which it replaces, the GDPR incorporates the following key changes:
- Increased territorial scope to include companies not established in the EU
- Significant penalties for noncompliance, with fines up to 4 percent of worldwide revenue for the preceding year or €20 million, whichever is greater, depending on the seriousness of the violation
- Expanded data subject rights including prior consent, use of transparent plain language, data portability, and rights to access, correct, restrict, object, and be forgotten
- Incorporation of privacy by design
- Need for impact assessments. Similar to risks assessments, impact assessments should cover what the data is used for, how it is managed, and what action is needed
- Introduction of the defined role of a data protection officer, a named person within an organization who is registered with the relevant data protection authorities in specific territories
The GDPR defines two categories of data handlers:
- Data controllers determine the purposes and means of processing personal data. Legally, the majority of obligations in the GDPR fall upon the controllers.
- Data processors process personal data acting on the data controller’s instructions. While data processors have fewer obligations than data controllers under the GDPR, in practice, organizations such as CROs do implement some of the data controllers’ obligations, insofar as they are the ones processing the personal data.
Obligations of Data Controllers
In accordance with GDPR, data controllers are required to:
- Maintain records of all data processing, including how the data was processed, used, and/or disseminated, along with evidence of compliance with the principles of GDPR
- Provide information to individuals in a privacy notice, being transparent about what data is collected and why
- Ensure that mechanisms for capturing, storing, and managing consents are created when consent is required
- Embed privacy by design into their studies and offer privacy by default, whereby privacy is the default option
- Use data protection impact assessments to define the technical and organizational measures required to keep personal data secure
- Ensure creation of mechanisms for fulfilling data subjects’ rights to access, correct, object, and be forgotten
- Identify data breaches and notify the appropriate authorities within 72 hours of discovery if a breach is deemed likely to result in a high risk to the rights and freedoms of the individual. The data controller is also responsible for notifying the affected individuals without undue delay, unless an exception is triggered
Obligations of All Organizations Processing Personal Data
Unlike the previous regulation, under which data controllers (i.e., sponsors) were wholly responsible for ensuring that their data processing practices were compliant, the GDPR spreads responsibility to data processors. A key responsibility for data processors is to ensure that they implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of subjects’ rights.
According to the GDPR, all organizations processing personal data are required to:
- Create records of processing that capture how personal data processing is performed in the company
- Ensure that their data protection officers are proficient in overseeing privacy governance and will proactively review technology systems and initiatives that relate to personal data processing
- Develop and implement policies and standards that outline data security measures so that the quality and governance apparatus of a company can measure and monitor the company’s implementation of those measures
- Give appropriate training to staff in accordance with data processing risks
- Improve their vendor management capabilities to ensure that third-party vendors have the necessary qualifications and security measures in place
- Update their contracts between data controllers and data processors to ensure compliance with GDPR Article 28 requirements
- Implement appropriate transfer mechanisms for transferring personal data outside of the European Economic Area
- Implement appropriate systems that monitor and detect data breaches, with appropriate escalation and reporting plans in place to comply with GDPR Article 33’s mandatory 72-hour data breach reporting requirements
- Ensure that any direct marketing is done in compliance with GDPR and ePrivacy requirements
- Track when personal data is no longer valid and provide evidence that this data has been archived appropriately
In the context of clinical trials, the new GDPR regulations cover not only those participating in the studies, but also employees, customers, and subcontractors.3 Per the GDPR, CROs and other clinical trial providers act as both data processors and data controllers. From the perspective of study participants, the CRO is a data processor. From the perspective of its own staff, the CRO is a data controller. Accordingly, there are several nuances of the GDPR that CROs must navigate, and these will be discussed in the blogs to follow.
Data Protection Part 2: Ensuring Study Start-Up Compliance With GDPR
Data Protection Part 3: Key Considerations for Clinical Trial Recruitment
Note: This material is provided for informational purposes only and not for the purpose of providing legal advice. If you are unsure whether the GDPR applies to a particular study or scenario, we suggest consulting with legal counsel for guidance.
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR). Available at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN.
[2] European Commission. What is personal data? Available at https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en.