On May 25, 2018, the General Data Protection Regulation (GDPR), the most stringent data privacy law in the European Union’s (EU) history, went into effect. The new legal framework was designed to protect individuals in the EU from privacy and data breaches by requiring improved security, transparency, accessibility and accountability from the organizations that collect the data.
GDPR affects all organizations and public bodies, including sponsors, investigators, CROs and vendors, regardless of location, that handle personal data of EU citizens. This means US life science companies will need to comply with GDPR if their clinical data originates from the EU. Personal data is defined as any information that can identify an individual. These data include traditional forms of identification such as names, phone numbers, email addresses and full-face photographs as well as newer identifiers such as cookies left by the computer, social media profiles, genetic data and biometric data. The GDPR also covers metadata without an obvious identifier.
How Are Sponsors and CROs Affected?
The GDPR provides additional rights to individuals concerning their personal data and places stronger documentation and compliance requirements on “data controllers” and “data processors.” Under the previous regulation, clinical research sponsors were the “data controllers” that determined the purpose and means of processing personal data. The sponsor therefore was wholly responsible for ensuring their practices adhered to the rules governing patient’s data privacy. The GDPR, however, spreads that responsibility to processors, which may include clinical investigators and CROs, who must work with the sponsor to handle personal data and take steps to adhere to the new guidance.
Additionally, Article 27 of the GDPR requires clinical research sponsors not located in the EU designate a data protection representative in one of the EU Member States where the clinical trial is conducted. Article 37 requires controllers and processors to designate data protection officers as well. A data protection officer, may also act as the sponsor’s data protection representative.
Moreover, the GDPR addresses how personal data is transferred out of the EU. When a sponsor transfers data from EU citizens to areas outside of the European Economic Area (EEA), it must protect that data in the same way it protects data that stays within the EEA. To meet this requirement, sponsors located outside of the EU may need to execute Model Clauses approved by the EU, or if they are located in the United States, they may choose to comply with the Privacy Shield Principles. Additionally, when individuals consent to providing their personal data to a sponsor, along with notifying the individual of his or her GDPR data protection rights, the consent form must notify the individual that his or her data is being sent outside of the EU. The consent form must also clearly state that a patient can withdraw their consent at any time.
The guidance also draws a new focus to controller accountability. In accordance with GDPR, controllers must be able to:
- Keep a record of all data processing, including how the data was processed, used, and/or disseminated and maintain evidence of compliance.
- Provide mechanisms for capturing, storing and managing consents and when consent is required– to validate and show evidence of compliance.
- Ensure their data protection officers are proficient at managing IT processes and data structures and will proactively review technology systems.
- Embed privacy into their design from the start (“privacy by design”) and offer options in which the privacy setting is the highest as default (“privacy by default”).
- Retrieve an individual’s data in a structured and commonly used electronic format and show evidence of its removal or restriction on demand.
- Track when personal health data is no longer valid and show evidence that these data have been appropriately archived.
- Keep a record of all data processing.
- Identify data breaches and notify authorities within 72 hours of discovery of data breach if it is likely to result in a risk for the rights and freedoms of the individual.
Organizations that are in non-compliance with these rules by May 25, 2018 face significant fines of up to 4 percent of their worldwide revenue for the preceding year, or €20 million, whichever is greater.
Novella’s Steps Toward Compliance
Novella Clinical has engaged with regulators to understand how the GDPR will be interpreted and worked with both internal and external experts to prepare for its implementation. Novella’s parent company, IQVIATM, formed an internal steering committee to help interpret GDPR requirements and apply them to the business in such a way as to penetrate the entire global organization on multiple levels.
IQVIA began working with legislators and data protection authorities on GDPR in April 2016, long before its first adoption. At its inception, the steering committee worked with authorities to help them understand how data was being used and how it was protected to inform initial legislation. After the first adoption continued monitoring of how companies were interpreting and implementing GDPR compliance and where discrepancies arose were noted.
The GDPR requires contracts between the controller and processor of personal data to document the specific requirements regarding handling of personal information, which may include: data flow, maintenance, storage, sub-processors and transmittal methods. Informed consent forms will need to include appropriate notifications to the individual about how their personal data collected for the clinical trial will be processed and protected. Novella has developed contract templates and informed consent forms that address GDPR requirements.
For example, in recruitment management services (RMS), when advertising campaigns are executed in the EU and personal data is captured, Novella and its vendors have project-specific solutions in place to address GDPR requirements.
The internal steering committee is responsible for auditing current systems and addressing any changes to comply with the GDPR. Implementation work streams were created to ensure no overlap or gaps in ownership of GDPR readiness. These work streams include 170 implementations across the organization. The committee also monitors activities of EU Member States to the extent that the GDPR is subject to interpretation at the state level.
Novella and IQVIA take data privacy seriously and are working diligently to ensure continued compliance with applicable data privacy regulations. We are confident that our existing practices provide a strong foundation upon which to build any further GDPR compliance activities.
For more information on Novella’s compliance with GDPR, please read our privacy statement.