Clinical Researcher—February 2019 (Volume 33, Issue 2)
Esther Daemen, MBA; Tine Wouters, MSc
The General Data Protection Regulation (GDPR) (2016/679) brought about the greatest change to European data security in 20 years. Applicable since May 2018 and repealing the Directive 95/46/EC, GDPR intends to strengthen and unify data protection for individuals within the European Union (EU).
All industries and sectors are bound by GDPR to re-think their privacy policies and data protection measures. Businesses that conduct clinical research—and as such handle “personal data” and even more important “sensitive personal data”—are expected to meet standards of heightened vigilance for compliance with the data protection legislation, as the collection of the latter is forbidden under GDPR unless a valid legal basis for its collection and explicit consent from the pertinent subjects can be provided. Scientific research is fortunately one of the exceptions that allows for the collection of such data under these strict conditions.
Key changes in GDPR from the previous Directive and related local legislations have to do with language touching on “increased subject rights” (right to access, correct, restrict or object data, right to be forgotten, explicit prior consent, data portability, breach notification, transparent plain language), “high fines,” “data minimization,” “privacy by design,” “Data Protections Impact Assessments,” and “Data Protection Officers.” However, which actions need to be taken for a clinical research project to be GDPR compliant? Is this covered by merely updating the informed consent form (ICF) and being done with it? Not so. Protocols and Clinical Trial Agreements (for sites and vendors) also need adjustment, and the assignment of an aforementioned Data Protection Officer should be considered, as applicable.
Protocols should refer to the new legislation and to the trial’s specific ICF. Protocol designs should avoid the collection of data not linked to the trial’s endpoints and data breaches. Further, Clinical Trial Agreements should clearly describe “Data Processor” and “Data Controller” responsibilities, considering to what extent a joint controllership exists between the sponsor and the site regarding a subject’s right to request access to data collected on them in a trial.
Data Protection Officers should be assigned within an overall company as well as at research sites, as applicable, to ensure the organization applies the laws protecting individuals’ personal data independent from management. Detailed information must be kept on the categories of subjects involved in a trial, their individual trial-related data, and the purpose and duration of the data processing required to complete the trial.
Both site and sponsor sub-contractors must comply with GDPR. The current data protection clause of any contracts with vendors should therefore be revised by the organizations’ legal departments.
This is only a rough outline of the impact of GDPR on clinical research. Each affected clinical research company is required to do a thorough Data Protection Impact Assessment before any trial commences to ensure full compliance.
As examined in the following section, when in the U.S., GDPR can also apply to trial conduct.
Impact for U.S. Companies Conducting Clinical Research
- When the trial subjects are in the EU, GDPR applies.
This means that when a U.S. sponsor is processing data from subjects within the EU, GDPR mandates are to be followed. Sponsors should nominate in writing a representative within the EU who fulfills their responsibilities with regard to GDPR. (Even if subjects within the EU are not EU citizens, if data were collected on them while they were within the EU, this rule applies.)
- When the sponsor is in the EU, GDPR applies.
When data on EU citizens is processed by a U.S. vendor, GDPR applies. Further, an EU sponsor might collect and process data from U.S. subjects; in this case, GDPR also applies, even when there are no subjects within the EU.
- When the sponsor is in the U.S., it should carefully assess GDPR compliance.
If the U.S. sponsor has offices in the EU involved in some aspects of the trial, then they may be considered as established in the EU, and GDPR would apply.
Overall, if the clinical trial is intended to support a market authorization filing in the EU, this implies data-processing activity taking place in the EU for the purpose of data submission, and therefore GDPR applies.
Lastly, if a contract research organization established in the EU is part of defining the purpose of a clinical trial, it is considered a joint-controller, and thus GDPR applies.
What about transferring data between EU and U.S.?
Once an organization has established that GDPR applies to its clinical trial, it needs to ensure it has permission to transfer personal data to and from the U.S. Under GDPR, the U.S. is considered a “third country,” meaning a country outside the European Economic Area. As such, the U.S. is not considered a country for which EU-related transfer of data is allowed without further due diligence, possibly including registration by a U.S. company with the so-called Privacy Shield framework between the EU and the U.S. and/or demonstration of appropriate safeguards being in place through binding corporate rules.
GDPR and HIPAA: What is the Difference?
Compliance with the U.S. Health Insurance Portability and Accountability Act (HIPAA) does not automatically mean compliance with GDPR. In a nutshell, GDPR has a broader scope than HIPAA, and does not deal exclusively with health information. The two schemas also have different metrics for determining Protected Health Information. In HIPAA, this is any demographic information that can be used to identify a patient. In GDPR, this also includes racial or ethnic origin, religious beliefs, biometric or genetic data, and any data concerning health. Only for the latter is there some overlap between HIPAA and GDPR.
Furthermore, GDPR potentially applies to all international organizations that handle personal data of residents within the EU by setting standards for entire industries that deal with personal data, whereas HIPAA only applies to the relationship between covered entities and business associates.
A sponsor (controller) and vendor (processor) cannot avoid GDPR simply by being based in the U.S. They must perform a legal assessment based on the specific context of their activities and territorial business and organization, to determine whether GDPR applies before the start of a clinical trial. HIPAA and GDPR have some overlap, but are not the same, hence additional or other safeguards are needed to ensure compliance with both.
Compliancy Group. 2017. GDPR compliance and HIPAA: how to address both. https://compliancy-group.com/gdpr-compliance-hipaa-software/
TRIUM and DLA Piper. 2018. GDPR and clinical trials: how to ensure compliance before 25 May 2018 in a cost-effective way.
Esther Daemen, MBA, (firstname.lastname@example.org) is Quality and Training Director/Data Protection Manager for TRIUM Clinical Consulting NV in Belgium and a former Director of Professional Development for ACRP.
Tine Wouters, MSc, is a Project Leader for TRIUM Clinical Consulting NV.