The General Data Protection Regulation (GDPR) came into force on May 25, 2018 after the European Union determined the need for greater data protection of its citizens, and placed more stringent and standardised requirements on how organizations collect and store data.
While the regulations are for the EU, there are implications for companies in any country holding information on residents of the European Union. Failure to comply can saddle companies with €20 million fines or four percent of their worldwide revenue.
A worrying consideration, Susan Shelby, senior VP of clinical operations for CRO Biomedical Systems, says. “It will have a significant impact on this industry. I’m convinced companies are not prepared for it, the penalties are steep and it doesn’t seem that enough people are discussing it.”
Shelby wrote that on 28 March, less than two months before GDPR came into force. Trial sponsors slow to adapt should take note — below we assess the major implications the regulation will have on clinical trials.
How GDPR Defines Personal Data
Danielle Kirsh at Mass Device says GDPR is similar to the U.S. Health Insurance Portability and Accountability Act (HIPAA) in the way it defines personal data.
Under HIPAA, identifiers include “…name, social security numbers, addresses, date of birth, and electronic medical numbers…However, the GDPR expands the personal data definition… to include information such as location information, genetic data, IP addresses, and e-mail addresses. In sum, any data that could potentially be used to directly or indirectly identify a person is considered personal data,” Kirsh writes.
The Major Changes From GDPR
The GDPR will have three major implications for clinical trials, Ed Miseta, chief editor at Clinical Leader, explains. One is the penalty for non-compliance, which we noted above, so let’s explore the remaining two.
Increased Territorial Scope
As mentioned, the regulation applies to companies outside the EU as it protects the personal data of any person residing within the European Union.
This marks a significant shift from the directive preceding GDPR. Miseta says territorial applicability used to refer to data processing “in context of an establishment,” but now it covers “the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not.”
Improved Patient Consent
Part of improved consent means plain and simple language is used instead of legal jargon. GDPR requires companies to request consent in an “intelligible and easily accessible form, with the purpose of data processing attached to that consent.”
Additionally, Miseta states, consent must be “clear and distinguishable from other matters” and that consent must be able to be easily withdrawn at a later stage.
More Stringent Requirements For Consent
Attorney Debra Diener says GDPR’s reach includes genetic and biometric data, which makes it more stringent than HIPAA. That means a trial sponsor in the US may be “compliant with HIPAA privacy rules, or the expanded HITECH Act,” but if it conducts trials in the EU, that compliance is not sufficient.
And while “clinical trials are only mentioned specifically in GDPR twice,” consent is the major factor. Consent terminology is very different in the US and other countries, as is how they handle consent.
Under GDPR, consent must be unambiguous and in writing, Diener explains, and the regulation applies to paper documents and paper processing of which there is still a substantial amount in clinical trials. Further, sponsors cannot rely on pre-checked boxes that patients can uncheck, but rather must involve actively ticking a box to give consent.
New Rights For Patients Under GDPR
The Right To Be Forgotten
GDPR allows individuals to have their personal data erased. The so-called right to be forgotten presents “far-reaching implications for clinical trials if not managed appropriately – by sponsors and regulators,” lawyers Richard Dickinson, Jackie Mulryne and Zoe Walkinshaw at Arnold & Porter, write.
Should the patient request to be forgotten, the data controller — trial sponsor — will not only be required to delete personal data, but also “take all reasonable steps” to ensure third parties do likewise. Trial sponsors may be able to argue against deleting personal data, but only if processing the data is in the public’s interest for public health, or scientific or historical research purposes.
The Right of Data Portability
Patients of clinical trials are afforded the right to “receive their personal data in a commonly used and machine-readable format, and transmit such data to another organization.” In other words, individuals must be able to obtain, copy, transfer and use the personal data they have given to a controller easily and securely.
There are limitations to this right if doing so impacts the rights and freedoms of others, such as the sponsor whose intellectual property or trade secrets maybe threatened.
Ensuring Compliance
New rights for patients means trial sponsors will need to consider updates to their compliance procedures, for trials started after the regulation came into effect and for those that are ongoing and continue to have data being processed.
Data Protection Impact Assessment
The Arnold & Porter lawyers explain that a data protection impact assessment should start with a description of how the data processing operations will be carried out and why they are necessary.
Following that, the data processing must be shown to be necessary and proportional, with a clear risk assessment regarding the rights and freedoms of patients and the measures taken to mitigate those risks.
Sponsors and CROs Need to Appoint a DPO
To ensure that data management and its handling is in compliance with the regulations, a data protection officer must be appointed.
Specifically, the DPO will undertake to “inform and advise their organization about its obligations under the GDPR, monitor compliance with the GDPR, provide advice where requested, and act as a point of contact for the relevant regulator,” Dickinson et al write.
Responsibility for Compliance
While the previous directive made the data controller — sponsor — fully responsible for compliance, GDPR extends this to joint data controllers and data processors, such as CROs, investigators or statisticians.
Co-sponsors, and non-commercial sponsors will also be held to compliance standards under GDPR.
Clinical Research Is a “Special Data Category”
Greg Gogates at Applied Clinical Trials explains how clinical trials have earned the status of “special data category” due to the fact that processing the data is for scientific or research purposes. Additionally, trial patients and data subjects — after being given clear reasons as to what data is being collected and why — provide “explicit consent for the collection of these categories of data.”
Gogates says this unique data category “negates the subject’s right to erasure, or portability which makes sense as clinical data cannot be removed from the dataset without an audit trail as well as that changing the statistical trial outcome.”
The result is that patients can only leave a trial to prevent the collection of more data.
Regardless, GDPR enforces sponsors to be clear about how and why data is being used, and the “intended logistics.” It also binds sponsors to responsibilities and obligations such as data transparency, security and accountability. Additionally, all those working on the trial will need to be appropriately trained to ensure they maintain compliance standards.
Indeed, the new regulations cover “those participating in clinical trials, but also employees, customers, and subcontractors,” Gogates explains.
Pseudonymization and Anonymization
GDPR defines pseudonymization as “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information.”
This means that pseudonymized data could still be considered personal data if it could “be attributed to a trial participant using other information,” Gogates writes.
Anonymization of data, on the other hand, renders data so that it is no longer personal or identifiable of a specific person.
Further Exceptions For Clinical Research
Kathleen McCarthy at Clinical Professionals advises that there are exceptions to GDPR in clinical research. We’ve touched on anonymized data, but McCarthy adds that “to meet ethical considerations, clinical trial participants should still be kept informed about what is happening to their data even when it is no longer personal data.”
Clinical research is also exempted from the GDPR imperative to minimize the duration that data is retained. It’s common for clinical research records to be kept for 20 years or more, so sponsors will need to ascertain whether they meet the “circumstances exempt from the rules, including archiving processes used in ‘public or scientific interest’, which should include all health research.”
Safety Surveillance and Pharmacovigilance
In the interest of public health or to protect health “data on reported adverse events to medications or devices,” which can include data on the patient, family member or healthcare provider, can be shared without obtaining consent before reporting.
The patient should still be informed after reporting the incident and the “organisation responsible for collecting and reporting this data must still have specific safeguarding measures in place for processing and storage to ensure data security and confidentiality is maintained,” McCarthy explains.
The Purpose Limitation Principle
There is a purpose limitation principle (PLP) under GDPR, Karol Szczukiewicz, regional study manager at Roche in Poland, writes. Essentially, the PLP sets limits on how personal data is processed. It must be “limited to what is relevant for the purpose of the processing, reliable for its intended use, accurate, complete and current,” he explains.
The problem is that this is not a simple concern in scientific research as it can be difficult or impossible to “fully identify the purpose of personal data processing at the time of data collection,” Szczukiewicz adds.
Another issue is that data is often reused in research. Fortunately, GDPR accommodates patients “giving consent to certain areas of scientific research or parts of research projects.”
Failure to comply with GDPR can result in costly penalties, so trial sponsors should investigate and understand the duties owed to patients. While clinical research enjoys certain freedoms to collect, process and hold data that other fields don’t, the best practice is to seek legal council, appoint a DPO and, as always, treat patient safety, security and privacy as paramount.
Images by: rawpixel/©123RF Stock Photo, Yacobchuk/©123RF Stock Photo, leowolfert/©123RF Stock Photo, rawpixel/©123RF Stock Photo