Life Sciences: Staying compliant in the face of GDPR
It’s been a month since GDPR was passed into law, but as the panic subsides and our inboxes are freed of privacy policy emails, we wonder what impact GDPR will have on the life sciences industry.
General Data Protection Regulation (GDPR) applies to the use of personal data and is a complete overhaul of the European Union’s (EU) data protection laws. It came into effect on 25 May 2018.
What is GDPR and who does it apply to?
The EU’s GDPR website says that the regulation has been designed to “harmonise data privacy laws across Europe, to protect and empower all EU citizens across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organisations across the region approach data privacy.”
British citizens will be protected by GDPR until such a time as the United Kingdom (UK) withdraws from the EU. The UK introduced the 2018 Data Protection Act which also came into force on 25 May 2018 and which should be read alongside GDPR.
Any organisation that processes the data of European citizens will be liable under GDPR regardless of where that data is processed.
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. It also applies to both ‘controllers’ (someone who determines the purposes and means of processing personal data) and ‘processors’ (someone who is responsible for processing personal data on behalf of a controller).
How will GDPR impact the life sciences?
The above is an overview of GDPR in its simplest terms.
Elizabeth Denham, the UK's information commissioner, who is in charge of data protection enforcement, says she is frustrated by the amount of "scaremongering" around the potential impact to businesses. "The GDPR is a step change for data protection," she says. "It's still an evolution, not a revolution". She adds that for businesses and organisations already complying with existing data protection laws the new regulation is only a "step change".
However, GDPR brings complex challenges from a practical and compliance perspective to the life sciences:
- The global application of GDPR
- The logistics of re-consenting and re-notifying a wide range of data subjects
- Costs and timings of GDPR compliance
- Amending vendor agreements
- The uncertainty of some of the GDPR provisions
“GDPR is having a significant impact on the life sciences, particularly within the medical writing specialism in relation to regulatory documents,” says Billy Hayes, Senior Consultant – Regulatory Affairs and Medical Writing at Aerotek EMEA.
“We’ve found that most documents that were covered under old legislation and contained unanonymised data from patients in clinical trials was fine for both EU and US purposes.>
“However, with the more stringent GDPR guidelines now in place, Regulatory Medical Writers are feeling the pressure as all documents must be updated for the UK and Europe.”
Obtaining consent is a particular challenge. Consent must be freely given, informed and unambiguous. (that is, it can be expressed in clear, affirmative actions as well as in words). It must be given for all purposes separately. And it must be clearly distinguishable from other matters in a written document.
Individuals have the right to withdraw consent at any time without detriment. Consent cannot be made conditional on, for example, the performance of a contract. It may be invalid where there is a clear imbalance between data subject and controller (for example a cancer patient wanting to participate on the trial of a promising drug).
“I make no apologies for focusing on consent in the context of scientific research and clinical trials,” said Nick Tyler, Senior Director and Global Lead on Data Privacy at Takeda Pharmaceuticals. He was participating in an in depth panel discussion about the various implications of GDPR.
“We have to focus on what is particularly at the heart of a highly complex, highly regulated industry. The real challenge the industry has relates to the level of specificity in a consent. We have the potential for very narrow, specific language which describes the scope of a particular research trial and in the light of more recent, innovative research.
“We are being boxed into a corner somewhat and the need for more generic language to cover and enable some further processing and secondary research that is compatible and in line with what is anticipated within the broad provisions of GDPR is absolutely essential for the industry and is a key plank of policy from the view of EFPIA (European Federation of Pharmaceutical Industries and Associations).”
Interestingly, Recital 54 permits processing of sensitive personal data without consent where necessary for public interest in the area of public health but ‘subject to suitable and specific measures’ to protect data rights.
During the same panel discussion, Alejandro Gené, Senior Director and Legal Advisor at Celgene, discusses the complexity of Informed Consent Forms:
“A lot of the experiments performed by life sciences companies are pioneering and explaining what will be happening during a trial, how a drug works, how we think it works and what people are consenting to is very complicated. There are a large number of players in the context of global, multi-centre clinical trials that you need to leverage and use and you want to have the ability to move the data and on many occasions to reuse the data for things that you could never have imagined. You do that with the hope to advance science and to address unmet medical needs. Explaining that concisely in the context of a consent form is indeed extremely challenging.”
Further to consent, pseudonymisation, data storage and transporting data all pose a particular challenge to the life sciences industry.
Luckily, derogations (exemptions or relaxations in the law) do exist to lessen the impact of GDPR for the sciences. To negotiate this legal minefield, a bevy of data specialists and lawyers who are able to interpret the new regulation and its recitals and derogations will be required throughout the industry to buffer the impact on scientific results. GDPR also specifies the need to hire a Data Protection Officer for those organisations carrying out ‘large scale processing of special categories of data’.