One full year after the General Data Protection Regulation (GDPR) became effective in May 2018, the knowledge about the regulations has become more widespread however there are still some areas of positioning and interpretation that need to be fully understood and implemented by organizations conducting clinical research.
Many of the premises of GDPR have been practiced for some time by life sciences product companies however some of the specifics and controls are new. Briefly, I’ll try to walk through some of the basics and follow up in other posts. I’ve outlined these based on the articles of the regulations. I’m paraphrasing and abbreviating the regulations for quick reading. I’ll cover some of the later content of the regulation in a future post. Those have to do with transfers of data and cooperation with the Supervisory Authorities. As with every regulation, it’s advised that you engage an experienced group of people to formulate and review your compliance program. The regulations are designed to protect all personal data and there are intricacies of clinical research that the regulators are attempting to accommodate without compromising the spirit and specifics of the regulations. Next post I’ll specifically cover some of the more interesting considerations for research data. For access to an excellent reference version of the regulations, you can go here: https://gdpr-info.eu/
Article 6 – Legal basis for collecting data – the collector and holder of the information has to have a legal right or business purpose for collecting the information. In the case of clinical research, this principle is satisfied by informed consent, which is traditionally the way research information has been collected. There are adjustments required to traditional informed consents (usually) to satisfy GDPR requirements. Other sound legal basis include if the data is required to meet regulatory obligations or legal obligations or if it’s in the vital interest of the subject for the controller to collect and use the data. Informed consent is usually used as the primary legal basis for collection of the data for clinical research.
Article 7 – Informed Consent – Although informed consent is only one of 6 legal basis for collecting information from subjects, it’s the legal basis for most clinical research conducted by health researchers. Informed consent must be clear, freely given, clearly states the use of the data and the purpose and it must be confirmed, in writing by the subject/patient. This is not new, however the bar for GDPR informed consent is a bit higher with respect to describing the specifics of how a subject can inquire about their data use and location(s). Article 7 also provides for the right of the patient to withdraw his/her consent at any time. I’ll cover how this is being respected in my next post.
Articles 12-22 – Rights of the Data Subject – Subjects have the right to access, review, correct any data collected. They have the right to understand where data about them is held, but was not provided by them. These rights are usually honored in a research setting by supporting and encouraging communications with the site/physician/researcher(s) who are directly collecting information and generally responsible for it’s accuracy. We’ll come back to the challenges here as well in the next post.
Articles 24-43 – Controllers and Processors – there is a lot of meat in this section of the regulation, which is Chapter 4 of the regulation, and it outlines the requirements for the data protection and security program for research organizations, both the sponsor and all parties involved. An underlying theme throughout this chapter and these articles is that ignorance is not an excuse for lapses in compliance. Ultimately everyone collecting (the controller(s)) and processing (the processors) of the data are responsible for data security and maintaining privacy in an ecosystem that is documented and maintained by trained individuals. Many of the controls have been in place for sponsors and their partners, however GDPR clarifies several requirements for hand-offs, data tracking and accountability. There are some specifics that need to be mentioned here, even as an overview:
- Each sponsor and partners are defined as controllers and/or processors. There are common responsibilities however the controller(s) has more accountability as they are the legally established principal research organization.
- Organizations are required to conduct data protection impact assessments (DPIAs), which is effectively walking through your processes and systems to assess compliance, weaknesses, areas of vulnerability. These are ongoing as partners, processes and systems change, are introduced or retired.
- GDPR requires the establishment of a trained Data Protection Officer (DPO), who is the overseer an escalation point for the compliance program and any issues that arise. A DPO ensures compliance, but the entire organization, including partners are responsible for GDPR compliance.
The remaining Chapters and articles are important as well however I’ll cover these later. They address oversight of the regulations, reporting and review of programs, reported incidents and remedies. While these include a lot of information that the DPO and organization should understand, the establishment and maintenance of the GDPR compliance program is upfront and should be the priority.