For those based in Europe, the General Data Protection Regulation (GDPR) came into force across the European Union on May 25, 2018. It is arguably the most significant policy shift in the regulation and protection of individual EU citizen’s digital rights for some time. It has global implications, affecting any organization or entity that holds data, records or information on EU citizens irrespective of their operational location. For the clinical development community, adherence to date to the Data Protection Directive (GDPR’s predecessor) will help significantly in being compliant to the GDPR, but there are many aspects that will need to be addressed, and will be explored in this article.
Until 2018, all data, whether in health care, or all other aspects of our society, was protected by the Data Protection Directive (95/46/EC), adopted in 1995. Unfortunately, technology and the use of all types of data is progressing so quickly that this directive is now already very outdated. It also was an EU directive, so this meant all member states could interpret this nationally, meaning a fragmented approach across Europe, and for many it left numerous areas difficult to interpret, and without sufficient enforceability.
After considerable negotiation, the EU Parliament agreed the GDPR (GDPR, EU 2016/679) in 2016, with a transition period of two years to support its implementation. As of May 25, 2018, it became enforceable, replacing the prior EU directive.
What does this mean for EU Citizens, and for Research and Development?
Actually, though the GDPR is a fundamental update to the prior directive, many things do not necessarily change, but a number of aspects of data privacy and security have been clarified and improved, with increased powers for EU citizens, as well as responsibilities for organizations generating, storing and/or using personal data. The following is a guide to some of the major changes with the GDPR, but it is not exhaustive. Some aspects are also potentially less or enforced differently in the research setting:
- Consent: This has been significantly strengthened. Anyone asked to share their personal health data needs to be asked in plain, understandable language, and their understanding of the process, and the implications, must be documented. It also must be easy to be able to withdraw consent at any time, though there may some restrictions on the need for consent or the ability to withdraw consent, for example, in research. This must be agreed by relevant authorities in organizations and EU countries. Overall, it must be clear to any EU citizen what their data is being used for (lawfulness, fairness and transparency). It may well be that compliance with GDPR may accelerate the adoption of e-consent, which is more adaptable perhaps compared to paper, as well as facilitating further harmonization across the industry
- Purpose Limitation: Any data collected needs to be used for a specific purpose, and for no other purpose beyond that without further consent. For the purposes of research, it is proposed that data can be re-used, without breaking this rule, and is an example of where research may have a ‘special status’
- Data Minimization: Any personal data collected needs to be relevant and necessary only for the purposes consented for. For instance, in a study, data collection can only be on the information that meets the study goals, and not unconnected areas not serving the purposes of that research, and again needs to be consented for. Specific versus global consent will probably become the norm in academic and pharma research
- Accuracy and Right to Access: Any personal data collected needs to be accurate, and now an EU citizen has the right to ask for copies of data stored, and the ability to request mistakes or incorrect data to be corrected. This could be as simple as a mistaken address, or more complicated, such as an error in a medical record. All personal data must be stored to protect confidentiality, and to protect its integrity (accuracy and consistency)
- Portability: This allows for personal data to be transferred between organizations, or to the EU citizen, on request, which is very important in providing greater control to the individual. Personal data is already routinely shared for health care reasons under professional secrecy to meet the needs of health care, such as different specialists managing a patient’s care
- Right to be Forgotten: Now any EU citizen could request the removal of certain data. This could be due to the right to withdraw consent, or due to the end of a study, or if in the public domain to protect your rights or privacy. Storage of data is also limited by the purpose limitation, so it cannot be stored indefinitely, unless with prior agreement and consent, or due to another legal requirement. This is a vexed issue for many as this may conflict with, for example, regulatory authority requirements for data retention, and is being deliberated on by no doubt most industry legal and privacy experts
- Accountability: There are many more responsibilities for anyone or any organization who are responsible for personal data (Controllers) and who may use it (Processors), requiring proof of compliance with the GDPR. If there is a breach of this accountability, there are clear responsibilities to inform EU citizens of what went wrong
- Penalties: For anyone getting this wrong, and not complying to protect an EU citizen’s personal data there are now considerable consequences, including to their public reputation, as well as financially
Despite GDPR Being a Step Forward, Significant Challenges Remain
For many, the GDPR is a significant step forward in international standards on personal data protection, and it likely will set not just a European, but also a global standard. In saying this, there are still many challenges in interpreting the GDPR and implementing it, and there are likely many organizations currently in breach of regulations as they were simply unprepared as the new rules came into effect. A recent article in The Lancet spoke to the concerns some have in the research community that we have insufficient guidance to date.
Clinical research data will occupy a ‘special status,’ but for instance pseudonymizing data may be insufficient for data not to be considered truly personal data, due to the risk of re-identification via the use of additional datasets to enable it. This would require greater adherence and consent, versus anonymization, which could negate the consideration such data is viewed as personal data. The ‘special status’ may negate some individual citizen rights, but guidance must be sought to ensure compliance.
Critically, all organizations of a size to be engaged in clinical research will need to have a Data Protection Officer in place, and this role will certainly be a busy one while we await further interpretable guidance, and avoiding expensive precedents should it go wrong. Meanwhile, due to the highly regulated nature of the Industry, historical practices have been generally conservative, and as such is a domain that may actually be less affected by the GDPR.
- McCall B; What does the GDPR mean for the medical community; The Lancet 2018; 391 (10127): 1249-1250
- European Patients Forum; The new EU Regulation on the protection of personal data: what does it mean for patients; accessed online 24th April 2018