The General Data Protection Regulation (GDPR) sets forth a number of key changes to the EU Data Protection Directive and several principles relating to enhanced rights for individuals who are data subjects, as well as authorities tasked with enforcement. It stipulates that personal data needs to be processed “lawfully, fairly, and in a transparent manner in relation to the data subject”.
The GDPR, which comes into force on May 25, will have massive implications for any company that collects and processes data from anyone from the European Union.
The impact of the GDPR on clinical and biomedical research, an industry where big data is becoming increasingly important, will be felt worldwide. Any organization that does not comply may face heavy fines.
The impact on clinical trials
While health data was already classed as “sensitive” and subject to tighter conditions for processing compared to other types of personal data (e.g. contact details), the GDPR has broadened the category to include biometric and genetic data and introduced new compliance requirements for such data.
Pseudonymized data, i.e. data where a key is held so it is (theoretically) possible to re-identify patients using “anonymous” patient codes, is now also considered a form of personal data and will have to be protected accordingly. In reality, confidentiality and data security provisions were already applied to such data in the context of clinical trials.
Direct-to-Patient services, a patient-centric approach to clinical supplies, will also be affected as companies in charge of the product distribution collect, store and process patients’ personal data, including health data.
As clinical trials involve the processing of sensitive personal data, the sponsor will need to carry out a data protection impact assessment for both trials that commence now, as well as those that started before GDPR was applicable. Controller and processor organizations involved in running clinical trials (e.g. sponsors, CROs and investigators) will most likely need to appoint a data protection officer. In addition, all organizations involved with clinical trials must safeguard documentation giving consent and the steps taken to comply with the GDPR.
Challenges for biobanking
GDPR will have a significant impact on biobanks as they collect, store and/or process human biological material in combination with other forms of personal data (sometimes initials, sex, date of birth…), including sensitive data such as genetic and health data. Companies providing biosample management services, in particular, will therefore be required to implement organizational and technical measures in order to ensure GDPR compliance.
It is important to note that while data subjects (i.e. patients and participants contributing their data or samples for research) have a number of rights against controller(s) and processor(s), a number of these rights may be subject to limitations in the context of scientific research in certain cases:
- Data storage limitation: Storage limitation can be modified and personal data can be stored for longer periods provided that the data will be processed solely for scientific research purposes in accordance with the provisions of article 89(1) of the GDPR.
- Compatibility of use: The GDPR retains the presumption of compatibility of use for research purposes, thereby enabling further processing for scientific research purposes of personal data initially processed for a different purpose (provided that there is a valid legal ground for the initial processing).
- Potential exemptions to various data subject rights: Exercising these rights may render impossible or seriously impair the research, in which case such derogations may be necessary. A number of these exemptions may directly apply on a case-by-case basis, while others will have to be provided by EU or Member States law.
With facilities in the United States and Europe, CSM has extensive experience in handling sensitive data for companies engaged in international studies and global clinical trials and ensuring that they are GDPR compliant.
Do you want to learn more about the impact of GDPR and other EU regulatory changes on your clinical trials? In this presentation, Philippe Van der Hofstadt, EU President at CSM, explains what you need to do to stay compliant and successfully manage your trial in the EU.