The EU data protection directive was implemented in 1995. Since that time there have been fundamental changes in both technology and the way we conduct clinical trials. Notably the rise in precision medicine, bioinformatics, cloud computing, mobile data capture, online recruiting, electronic submission, big data, and machine learning have all meant that new data technologies play an incremental role in all aspects of clinical trials. It is only now, however, that EU legislation has caught up with these changes. EU General Data Protection Regulation (EU GDPR) aims to tackle the challenges of new data technologies in the 21st century, while introducing concurrency in data protection rules across the EU and hefty fines for infringement.
What is GDPR?
Similar to the EU Clinical Trials Regulation, which is also set to come into effect in 2018, GDPR creates a work environment that is universal across member states allowing consistency in levels of data security. Each EU member state will establish an independent Supervisory Authority to handle complaints and administrative offences, and multinational organizations can select a lead authority to supervise all the processing activities of the business throughout the EU. There is a larger scope of coverage as the regulation expands to non-EU states handling EU data, as well as stricter and broader definitions for personal data. Some of the over-arching themes include:
- Enhanced rights for data subjects with expansive control over their data and what it is used for
- A stricter set of conditions upon which consent is gained
- Increased accountability of data protection for data controllers as well as data processors
- Privacy impact assessment records, and the adoption of detailed data processing records for both data controllers and processors
- Notifications of data breaches with fines of up to 4 percent (or €20,000)
- A requirement for data protection officers of certain organizations to oversee and implement data security measures
The approach taken by EU GDPR is that of data protection by design and default, and ensures that any organization that makes use of personal data actively applies data security at the core of its processes in order to reduce security risks and confidentiality breaches.
How will the New Regulations impact Clinical Trial Data Management?
New regulations are likely to impact the clinical trial data pipeline at all stages from data collection to management, as well as novel and innovative data processing solutions that rely on genetic data, data linking or machine learning. The process of gaining consent follows the EU Clinical Trial Regulation, though more attention will be needed in consenting trial participants on the data processing involved, as stated in GDPR article 9: “The data subject has given explicit consent to the processing of those personal data.”
With increased accountability, all parties handling and producing data (sponsors, CROs and data processors) have full responsibility for data security, and organizations that handle sensitive data, such as health care data, biometric data or genetic data, will require a Data Protection Officer to oversee compliance with GDPR. Privacy impact assessments are formally recorded to identify the data pipeline and actions taken to ensure data security at any stage where there are gaps. The data pipeline should also include immediate actions and notification to Data Protection Authority in case of breaches. Pseudonymization (defined as the processing of personal data in such a manner that it can no longer be attributed to a specific data subject without the use of additional information) is recommended as soon as possible, and audits will require an analysis of the effectiveness of processing security.
Though data subjects have the right to erasure and data portability, this can be refused on the grounds of scientific research, so as not to de-power clinical trials. In general, EU GDPR tries to prevent data repurposing that is not implied in the consent procedure, however, per article 6(4), “a researcher may further process sensitive data for research purposes, even if research was not the purpose for initial collection.” In continuation with the current directive this would allow the use of secondary electronic health records for the purposes of medical research.
It is thus clear that although GDPR enshrines extra regulations and parameters to clinical research, the aim is increased confidence in the data pipeline and the passing of data from primary data controllers, to secondary and tertiary data processors. Data security risks will be reduced at all stages of the data management pipeline, improving patient confidentiality, and data subjects should feel more in control of their data.
As organizations adapt to the new processes involved; extra costs, extra manpower, and extra focus on data security, innovation may decrease and research institutes may initially struggle to meet the full expectations of authorities. Non EU data processors, CROs, and sponsors, may initially be reluctant to handle EU Patient and participant data if they do not want to be burdened with the costs of extra regulations and the obligation to appoint a representative in the EU. This is particularly the case in areas that require linkage of multiple data sets, such as from secondary electronic health records, social data, clinical trial data, genetic data, etc. which create an overall picture of the patient suitable for data mining and other explorative analysis of big data ventures.
In time, however, as the dust from GDPR settles, it is likely that confidence in the data protocol becomes more recognizable, consistent and efficient, and thus will facilitate, rather than hinder the data pipeline production and new data products that involve innovative technologies.
Big Data Research Engineer