OnAsset Intelligence
Global Real Time Tracking and Monitoring Solutions for Clinical trials
Eight months in, Nigel Hughes, Scientific Director JCI-PDR, Janssen, examines the ramifications of GDPR on the industry now the regulation has taken effect
For those based in Europe, the General Data Protection Regulation (GDPR) came into force across the European Union on May 25, 2018. It is arguably the most significant policy shift in the regulation and protection of individual EU citizen’s digital rights for some time. It has global implications, affecting any organization or entity that holds data, records or information on EU citizens irrespective of their operational location. For the clinical development community, adherence to date to the Data Protection Directive (GDPR’s predecessor) will help significantly in being compliant to the GDPR, but there are many aspects that will need to be addressed, and will be explored in this article.
Until 2018, all data, whether in health care, or all other aspects of our society, was protected by the Data Protection Directive (95/46/EC), adopted in 1995. Unfortunately, technology and the use of all types of data is progressing so quickly that this directive is now already very outdated. It also was an EU directive, so this meant all member states could interpret this nationally, meaning a fragmented approach across Europe, and for many it left numerous areas difficult to interpret, and without sufficient enforceability.
After considerable negotiation, the EU Parliament agreed the GDPR (GDPR, EU 2016/679) in 2016, with a transition period of two years to support its implementation. As of May 25, 2018, it became enforceable, replacing the prior EU directive.
Actually, though the GDPR is a fundamental update to the prior directive, many things do not necessarily change, but a number of aspects of data privacy and security have been clarified and improved, with increased powers for EU citizens, as well as responsibilities for organizations generating, storing and/or using personal data. The following is a guide to some of the major changes with the GDPR, but it is not exhaustive. Some aspects are also potentially less or enforced differently in the research setting:
For many, the GDPR is a significant step forward in international standards on personal data protection, and it likely will set not just a European, but also a global standard. In saying this, there are still many challenges in interpreting the GDPR and implementing it, and there are likely many organizations currently in breach of regulations as they were simply unprepared as the new rules came into effect. A recent article in The Lancet spoke to the concerns some have in the research community that we have insufficient guidance to date.
Clinical research data will occupy a ‘special status,’ but for instance pseudonymizing data may be insufficient for data not to be considered truly personal data, due to the risk of re-identification via the use of additional datasets to enable it. This would require greater adherence and consent, versus anonymization, which could negate the consideration such data is viewed as personal data. The ‘special status’ may negate some individual citizen rights, but guidance must be sought to ensure compliance.
Critically, all organizations of a size to be engaged in clinical research will need to have a Data Protection Officer in place, and this role will certainly be a busy one while we await further interpretable guidance, and avoiding expensive precedents should it go wrong. Meanwhile, due to the highly regulated nature of the Industry, historical practices have been generally conservative, and as such is a domain that may actually be less affected by the GDPR.
References:
Global Real Time Tracking and Monitoring Solutions for Clinical trials
Patient-Centric Services for In-Home or Alternate-Site Clinical Trials Settings
Software, Consulting and Workshops for Data Analysis and Model-Based Decision Support