On May 25, 2018 the General Data Protection Regulation (GDPR) goes into effect in the European Union (EU). This regulation has a broad scope beyond companies performing clinical research – all personal data falls under this jurisdiction which includes web search engines, social media, and much more. But specifically, how does this new regulation affect personal data collected during a clinical trial and what do Sponsors and Contract Research Organizations (CROs) need to do to ensure compliance? Here we aim to address the highlights of the GDPR and its implications on clinical research.
What is the GDPR?
The GDPR was approved by the European Parliament on April 14, 2016 and replaces the Data Protection Directive (DPD) 95/46/EC. The new GDPR expands what is considered to be personal data (i.e. any data that can be used to potentially identify a person).
Who does the GDPR apply to?
The GDPR applies to all EU citizens. Thus, any Sponsor or CRO that collects information from these individuals, even if that Sponsor or CRO is not located in the EU, is subject to the rules of the GDPR.
How does the GDPR define personal data?
Similar to the U.S. Health Insurance Portability and Accountability Act (HIPAA), identifiers such as name, social security numbers, addresses, date of birth, and electronic medical numbers all constitute personal information. However, the GDPR expands the personal data definition from the DPD to include information such as location information, genetic data, IP addresses, and e-mail addresses. In sum, any data that could potentially be used to directly or indirectly identify a person is considered personal data.
What is the purpose of the GDPR?
The main purpose is to give individuals more power to protect their personal data and to understand how their personal data might be utilized by the Sponsor or CRO collecting that data. These Sponsors and CROs will be required to give more details on how the data is being used, the purpose for data collection, and where the data is stored and transferred. Also these individuals will be allowed access, if requested, for how specifically their data is being used, give individuals the right to put in complaints regarding personal data use, and the ability to request the data is erased. For clinical research and medical information, there are stipulations that if the data is for the best interest of public health or for scientific information, the data can be retained.
What are the responsibilities of a Sponsor and/or CRO to protect personal data?
Sponsors or CROs need to define the “controllers” and “processors” of personal data. Controllers are responsible for determining what data is to be collected and processors are involved in the collection and/or processing of that data. Both controllers and processors are obligated to comply with the regulations of GDPR, whereas previously the controllers were primarily responsible for this task. In the realm of clinical research, the Sponsor and Investigator would most likely be considered the “controllers” and the CRO and vendors the “processors”. The roles of each organization in a clinical trial will need to be clearly defined to ensure compliance.
How can a person consent to the use of their personal data?
In clinical trials, obtaining informed consent prior to any study activities is of paramount importance. Under the new regulation, the informed consent process for research remains the same, but Sponsors should be as transparent as possible in informed consent documents as to the use of personal data and the rights of individuals. Consents should state how the data will be used, who will receive the data, a timeline for data use and storage, and right the individual has to revoke authorization. Additionally, there are still exceptions for data collection and use of personal data for medical research without consent if it is considered in the best interest of the public. Currently, there has not been any directive released if patients previously enrolled in clinical trials must be re-consented if the original informed consent form does not meet all GDPR standards.
What happens if there is a violation?
Personal Data Breaches are required to be reported within 72 hours after becoming aware of the breach. However, there are exceptions to this rule if it was determined that there is unlikely a risk to those who the data breach affected.
What are the consequences if the regulation is not followed?
Heavy fines of up to 4% of a Sponsor’s global revenue will come into play depending on the scope of the violation. Having a well-defined policy plan to ensure GDPR compliance is key to preventing violations and potential heavy fines. What steps has your company made to ensure compliance with GDPR?
How do you think GDPR will affect clinical research moving forward?blue padlock via photopin (license)