Gearing up for GDPR

The European Parliament adopted the General Data Protection Regulation (GDPR) in May 2016, four years after it was first proposed. This year, it will enter into force. The GDPR was created with the aim of unifying data regulations among European countries, and updating data protection laws for the modern world – as people share more personal data than ever before, new regulations are needed to give individuals more control over how their data is used and shared, both within and outside the EU.

The new regulations promise to have a far-reaching impact for businesses and organizations across the board, and have generated a significant amount of discussion. Some feel that pharma is simply not prepared for the new rules (1) – but with little time left before they begin to be enforced, the industry will have to adapt, or face some serious penalties.

Brendan Barnes Director of Data Protection, IP and Global Health at the EFPIA tells us more about the changes GDPR will bring.

Health data

• “A key concern for the industry is that the GDPR should support data-driven research and the text of the regulation does this. It is very clear that the ability to access and re-use personal health data with appropriate safeguards will be a very important driver of health system performance improvement and of pharmaceutical innovation. These benefits are already being seen.”
• “The GDPR is intended to enable individuals to exercise control over their data. Companies, contractors and investigators will need to understand how to respond to access requests.”

Clinical trials

• “We are seeing uncertainty regarding the impact of GDPR on clinical research. When we surveyed EFPIA members last year, it was clear that there were many areas where the interaction between the GDPR and the Clinical Trials Regulation was causing confusion. These include breadth of consent, data retention, and de-identification/anonymization obligations.”
• “The standard of consent has been raised under GDPR, but this has to be understood against the context that the GDPR deals with consent across all sectors. Consent processes within clinical research are already of a very high standard and are unlikely to greatly change, although new information notices may be required. The GDPR makes extensive provision for research and acknowledges the need for specific treatment of research data. However, there is still a lot of uncertainty. An example is the right to be forgotten. While this is an important right in a general sense (for example, removing your data from a social media website), the right needs to be reconciled with the need to preserve data in a clinical trial, including data from subjects who have withdrawn from the trial. Recent guidance from the article 29 working party has again put this in question.”

Companies outside the EU

• “The GDPR applies to all businesses established in the EU and to businesses worldwide who are offering services in the EU, or monitoring EU citizens.”

Ensuring compliance

• “The Data Privacy regulators continue to issue guidance on specific issues which companies then need to review in relation to their internal procedures. There is a big focus on compliance as there will be for all organizations. Particular issues for life sciences companies will be to be clear about the basis on which they are processing sensitive personal data (in particular regarding the GDPR scientific research exemption) while taking into account the specific safeguards of our sector, ensuring that information notices are updated where appropriate, and assessing the basis under which they are transferring data to third countries.”
• “The GDPR places a strong emphasis on accountability – a shift from the directive that preceded it – and contains very substantial sanctions for non-compliance. Companies will find that they need to embed data protection in their processes and educate staff to understand the issues. This could involve general education sessions, specific staff training and review of internal HR policies.”