What is a Data Protection Impact Assessment, and why is it a requirement of GDPR?

A GDPR Data Protection Impact Assessment (DPIA) is a process to help you systematically analyse, identify, and minimise the data protection risks of a particular project or plan. A DPIA is required under the GDPR any time you begin a new project that involves a high risk to data subjects’ personal information. It is mandatory for processing large-scale personal data that falls under special category, e.g., health information in a clinical trial.

Under the GDPR, data protection should be built into the project design. Companies are encouraged to implement technical and organisational measures (TOMs) that safeguard privacy and data protection early in the creation of processing operations. This principle is better known as ‘privacy by design’.

Pharmaceutical Data Protection Consultancy

One of the most important ways to demonstrate to authorities that your organisation has implemented the necessary TOMs and complies with the GDPR is to prepare a Data Protection Impact Assessment (DPIA) for each high-risk data processing activity.

This article explains when to conduct a DPIA, provides an overview of the steps undertaken during a DPIA and how a GDPR compliance consultancy can support you through the process. 

When do you need to conduct a Data Protection Impact Assessment?

A DPIA is required under the GDPR any time you begin a new project or change an existing project, where the processing of personal data involves a high risk to the rights and freedoms of data subjects. Thus, the DPIA must be carried out before starting a processing activity and when one is changed. Most importantly, a DPIA should be conducted when it can still make a positive difference to the project.

However, a DPIA is not a one-off, tick-box exercise: it is a ‘living’ process and should be regularly reviewed and updated to include changes to the activity, continually managing the risks your processing may pose to individuals.

But what types of data processing activity fall into the ‘high risk’ category?

Neither the EU GDPR nor the UK GDPR explicitly define ‘high risk’ or ‘risk’, but they do illustrate the potential impact, damage or distress (whether physical, emotional or material) that your data processing may cause, which could be considered a ‘risk’.

For example, where processing could cause:

• significant economic disadvantage or financial loss, such as identity theft or fraud
• social disadvantages, such as discrimination or reputational damage
• inability to access services or opportunities
• physical restrictions or harm, such as not being able to maintain their own physical space
• inability to exercise control over their data, and loss of confidentiality, e.g., where sensitive information is revealed or evaluated
  

Thus, it is easy to understand that the following conditions would require a DPIA*:

• using innovative technologies (e.g., artificial intelligence and machine learning)
• tracking people’s location or behaviour (e.g., online or in your workplace) 
• systematically monitoring a publicly accessible place on a large scale
• processing special category/sensitive personal data related to racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data to uniquely identify a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation (e.g., scientific research activities including clinical trials)
• using data processing to make automated decisions about people that could have legal or similarly significant effects on the data subject (e.g., mortgage or insurance applications)
• processing children’s data
• processing data that, if leaked, could result in physical harm to the data subjects (e.g., social care records)
  

*Adapted from https://gdpr.eu

This list is not exhaustive, and it is important to remember that it is the data controller’s responsibility to assess any proposed processing activities and determine whether a DPIA is required (see below). 

Best practice would be to conduct a DPIA whether the processing activity presents a high risk or not, thus ensuring you have considered all aspects of data security and privacy for GDPR compliance in your organisation. Failure to adequately complete a DPIA where required constitutes a breach of the GDPR and could lead to sanctions and financial penalties (see below).

Why do you need a DPIA for clinical research in Europe?

The EU GDPR affects any organisation that controls, processes or monitors data on EU residents regardless of whether the company has an EU presence (similarly for UK residents and the UK GDPR). Thus, clinical trials conducted in Europe fall within the scope of the GDPR.

Under the GDPR, a DPIA is mandatory for companies that process special category/sensitive data (e.g., health data).

There are many benefits to conducting a DPIA and not just the obvious one of avoiding fines and sanctions, but let’s look at those first.

• Failing to conduct a DPIA in line with the EU GDPR’s requirements can lead to a fine of up to €10 million (£8.75 million under the UK GDPR) or 2% of the annual global turnover of the preceding financial year, whichever is greater.
• Conducting the DPIA is also part of meeting other GDPR obligations, most notably the ‘accountability principle (being able to demonstrate compliance). Controllers that fail to meet it can face a regulatory fine in the higher tier, the greater of €20 million (£17.5 million under the UK GDPR) or 4% of the annual global turnover of the preceding financial year. The Information Commissioner’s Office (ICO) and EU supervisory authorities also have the power to apply other measures.

There are other benefits to conducting a DPIA which can have a direct positive impact on your business, including:

• saving your organisation time and money by identifying problems early on
• reducing project and operational costs by minimising the amount of data collected, and optimising processes.
• reassuring patients, customers, partners and employees that you can be trusted to protect their data and privacy and have done what you can to minimise any negative impact on them
• improving your organisation’s credibility in the eyes of potential or existing customers, partners and investors, building strong relationships. To this end, the ICO suggests publishing yourDPIAs to improve transparency.
  

It is also worth remembering that conducting a DPIA helps raise employees’ awareness of the need to monitor and address data protection and privacy. Thus helping you meet other GDPR requirements (such as ensuring data protection by design and default) and preventing data breaches caused by human error.

Who is responsible for completing the DPIA?

When processing personal data for clinical trials within the EU or UK, the sponsor is responsible for completing the DPIA as they are considered the data controller. If you have a data protection officer (DPO) in-house or outsourced, they can undertake the DPIA for you, especially if they have experience conducting DPIAs for clinical trials. 

Pharma or biotech companies that regularly sponsor research projects or aim to in the future should conduct their DPIA at the level of the Quality Management System rather than on a trial-by-trial basis. It is then easier to assess individual studies against the requirements of the DPIA, making minor adjustments or adding trial-specific DPIAs as necessary. This method ensures that all clinical trials are GDPR compliant and that data processes operate based on data protection by design, including proper consideration of research-specific needs.

Who is consulted as part of the DPIA?

If your DPO is not conducting the DPIA, they should be consulted during the process, and their advice recorded in the DPIA documentation. You should also involve any information security staff, joint controllers and processors. This includes the investigational site/CRO, cooperating CRO, principal investigator and co-investigator.

What steps are involved in completing a DPIA?

The DPIA assesses initial risk, mitigations, and residual risk. Technical and Organisational Measures (TOMs) to protect personal information are reviewed and recommendations made for improvements. 

1. Describe your processing activities (nature, scope, context and purpose).
2. Consult relevant parties and stakeholders (identify controller, joint controller, processor relationships and their roles).
3. Assess necessity and proportionality (lawful basis, data quality and minimisation, international data transfers).
4. Identify and assess risks to data subjects.
5. Identify current and new technological and organisational measures to mitigate risks.
6. Identify residual risks once TOMS have been implemented.
7. Review, update or repeat the DPIA, especially if there are substantial changes to the nature, scope, context or purposes of your data processing.

Are you a pharma or biotech clinical trial sponsor looking for a pharmaceutical data protection consultancy to guide you through the stages of a DPIA?

Our specialist team at Pharma Data Protection can help you.

If this is the first time you have needed to comply with the GDPR, applying it in a pharmaceutical data protection context, with pharma or biotech working practices, can be confusing, making compliance challenging.

The GDPR provides no specific guidance on how to complete a pharmaceutical DPIA data protection impact assessment for clinical trials. Drafting a DPIA is an extensive and often daunting document, particularly for those new to GDPR compliance or who have not undertaken one before.

Undertaking a DPIA is a routine activity for us. We take a ‘category’ approach to prepare a DPIA, i.e., we assume clinical trials are essentially one processing category and thus do not require individual DPIAs. Instead, we support you by designing a comprehensive DPIA that covers all clinical trials and has input from multiple disciplines within your organisation, including IT, clinical operations, and quality operations. Then we update the DPIA as each new trial comes along – we can provide also ad hoc regulatory GDPR compliance support.

We have developed comprehensive screening checklists based on years of pharma industry knowledge and experience applying the GDPR in the context of your working practices and research needs. Our checklists ensure we address all aspects of the GDPR, overlooking nothing.

We partner with you to prepare your DPIA before you begin processing data, ideally before or during the early stages of planning your clinical trial. A comprehensive DPIA before you start processing data can save your organisation time and money once your clinical trial is underway.