In Europe, the General Data Protection Regulation (GDPR) is the gold standard for protecting the privacy of all EU individuals across all industries and sectors, both public and private organisations. For this reason, understanding how the GDPR applies to pharma data-processing activities can be confusing, making compliance challenging, especially when your clinical research crosses international borders.
Are you a non-EU small to medium-sized pharma or biotech enterprise in the early stages of planning a clinical trial in the EU?
Perhaps you’re a US clinical trial sponsor in the process of applying for trial approvals in Europe but are unsure how the GDPR applies to you.
This article provides an overview of the GDPR, explaining how it can impact your clinical trial in the EU and why early compliance is important.
What is the GDPR?
The European Union’s General Data Protection Regulation (EU GDPR or GDPR) is a data privacy law that came into effect in 2016. All organisations within its scope had to comply from May 25, 2018. The GDPR replaced the original EU Data Privacy Directive (EU 95/46/EC), which established minimum data privacy and security standards back in 1995.
The EU General Data Protection Regulation is the world’s toughest privacy and security law. It is a large, broad, and far-reaching regulation designed to give EU individuals more control over how their personal data is collected, used, stored and protected. It also binds organisations to strict rules about using and securing the personal data they collect, including the mandatory use of technical safeguards like encryption and higher legal thresholds to justify data collection.
Since leaving the EU, the UK has adopted the GDPR in domestic law as the UK GDPR. It has been adapted for the UK’s legal system and forms part of its data protection landscape alongside the Data Protection Act 2018 (DPA 2018).
Does the data protection law apply to the pharmaceutical industry?
Yes. The GDPR applies as a general law encompassing all industries and sectors with a wide scope of processing operations and has a broad definition of what constitutes processing personal data. It contrasts, for example, with the US data protection framework, in which there is no general federal legislation but a sector-specific approach, e.g., separately regulating children’s privacy and health privacy. In addition, the US has state statutes, such as the Californian Consumer Privacy Act (CCPA), that impose restrictions and obligations on businesses collecting, using and storing data from residents in a particular state.
If this is the first time you have needed to comply with the GDPR, applying it in a pharmaceutical data protection context, with pharma or biotech working practices, can be confusing, making compliance challenging.
Does the GDPR apply to SMEs?
The simple answer is yes. The application of the GDPR depends on the nature of your activities rather than on the size of your organisation. However, some of the obligations under the Regulation may not apply to all SMEs. Therefore, you must understand how to apply it to your individual circumstances.
Does GDPR apply to companies, research organisations or clinical trial sponsors outside Europe?
The GDPR affects how companies must protect EU user data across the globe.
The earlier EU Data Privacy Directive only applied to organisations physically based in one or more EU member states. However, the GDPR goes further, affecting any organisation that controls, processes or monitors data on EU residents regardless of whether they have an EU presence.
For example, a US research company wanting to run a clinical trial in France must ensure it complies with the EU GDPR as early in the clinical trial application process as possible, if not before, even having to formally state compliance with data privacy obligations prior to being granted trial approvals.
Talk to us about GDPR and your clinical research in Europe
How does GDPR impact your European clinical trial?
The pharma and biotechnology industries worldwide already operate within a highly regulated environment, complete with laws, regulations, guidelines, and industry standards relating to patient safety and privacy. Safely handling sensitive personal data related to clinical trials is second nature.
However, in the pharmaceutical products and devices sectors, particularly in clinical trials data protection, there is still some confusion about how the GDPR applies to these data-processing activities, not least because, even if there is some overlap with clinical trial regulations, the GDPR has many different requirements.
Setting up a clinical trial may take 6-8 months. But the GDPR applies the moment you start collecting and processing personal data from anyone in Europe, including information about staff at your Contract Research Organisation (CRO) and other vendors. Perhaps you’re recruiting investigator sites or starting to put agreements and contracts in place – these activities process personal data and fall within the scope of the GDPR.
Building GDPR compliance into your planning early is vital – long before you start recruiting patients or processing highly sensitive and confidential trial data. This category of ‘special personal data’ must meet even higher standards for GDPR compliance and is not something you can tackle legally after the fact.
If you comply with HIPAA and the EU Clinical Trials Regulation, does that mean that you comply with the GDPR?
Clinical trials are already highly regulated activities, and some of these regulations may overlap or even contradict the GDPR. It’s important that the Regulation is applied in the context of your pharma or biotech business and the personal data that you collect, use, and store.
In the U.S., you may be used to complying with the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH), but this does not make you automatically compliant with the GDPR. And the same applies to the EU Clinical Trials Regulation (CTR).
Is patient consent for clinical trial participation the same as GDPR consent?
Clinical research organisations are well-versed in the importance of informed patient consent as an ethical standard and legal obligation when recruiting patients for clinical trials. But consent to participate in a clinical trial is not the same as consent to processing one’s personal data. You need an additional lawful basis to consent to process clinical trial data.
Building data privacy consent efficiently and logically into clinical trial consent can present a challenge for large projects and clinical programmes, which may include ongoing studies and data from trials consented to in the past.
Does your clinical trial use pseudonymised data?
Anonymisation removes direct and indirect personal identifiers that may lead to the identification of an individual. Once data is genuinely anonymised, and individuals are no longer identifiable, the data will no longer fall within the scope of the GDPR.
However, pseudonymisation replaces one or more personal identifiers with a pseudonym, a name or value, or, in the case of clinical trials, with a subject code, which prevents the direct identification of the individual without the use of additional information or a key. In the clinical trial context, we still collect personal identifiers out of necessity, e.g., date of birth, gender, or ethnicity. Therefore, pseudonymised data could still be attributed to a trial participant using other information and is thus still considered personal data under the GDPR. .
Are you a pharmaceutical products or medical devices business concerned about the costs of implementing and maintaining GDPR compliance?
Implementing and maintaining GDPR compliant clinical trials is a much smaller expense than the potential financial sanctions that can be levied if you ignore compliance requirements.
Non-compliance attracts heavy penalties of up to 4 per cent of an organisation’s global annual revenue or €20 million, whichever is higher1. This includes not only fines but also enforcement action, where the penalised organisation will be under strict supervision as it addresses areas of non-compliance.
Not to be underestimated is the real possibility of a loss of productivity and money through the disruption or discontinuation of your clinical trial while you scramble to achieve retrospective compliance.
Non-compliance also puts you at risk of a data security breach and, consequently, potential claims by data subjects seeking compensation for damages. Of course, there are also the possible adverse effects of loss of trust and reputational damage. With unquantifiable long-term impact on attracting new research/business partners or problems recruiting patients.
What steps can you take to ensure GDPR compliance?
Are you a clinical, regulatory affairs, or quality and compliance professional who understands data privacy and protection regulations in your own country but needs help applying the GDPR to your European data-processing activities?
Compliance with GDPR is significant, particularly for specialty pharma and biotech companies with limited resources. Perhaps your organisation doesn’t have in-house legal counsel or time, knowledge or experience to tackle GDPR. It’s essential to identify a trusted partner – a data protection consultancy – who can help ensure that all aspects of your business comply with the most recent data privacy and protection regulations.
We at Pharma Data Protection are a team of specialists in both GDPR compliant clinical trials and data protection who are passionate about providing pharmaceutical research worldwide with the tools, assistance, and expertise needed to safeguard data subjects’ privacy and ensure maximum GDPR compliance.
Thanks to our combined expertise, we pragmatically apply the GDPR legislation and support you in making the necessary changes to policies, documentation, and processes.
Like the GDPR, which promotes a risk-based, rather than a prescriptive, approach to protecting privacy, our Pharma Data Protection consultancy aims to deliver GDPR compliance solutions that work for you, tailored to your pharma working practices.
Talk to us about your data processing activities in the UK or EU