Once more unto the breach, dear friends: Data regulation in Europe

1 December 2016 16:25

Nancy Dickie, senior associate at Winckworth Sherwood tells pharma firms what they need to know about Europe’s new data regulation.

After lengthy negotiations at EU level, earlier this year we finally received the new European General Data Protection Regulation (“GDPR”). It brings with it the risk of fines of up to €20million or 4% of worldwide turnover, for data breaches – meaning they must be taken seriously. Whilst not taking effect until May 2018, the GDPR is complex and seeks to introduce a cultural shift in data protection. It is prudent to start preparations early and in particular consider those changes that are most likely to impact heavily on the pharmaceutical sector.

It is impossible to ignore Brexit - whilst it will undoubtedly impact on data protection, in practice the UK will still have to adopt the GDPR or something close to it. Firstly, it is unlikely that the UK will have left the EU before May 2018 in any event. Furthermore the GDPR will apply to any business trading in the EU, regardless of where it is established. What’s more, as the Information Commissioner’s Office has highlighted, to continue as a ‘safe’ destination for EU data, the UK will have to establish its adequacy in the same way as other non-European countries. Given the relatively tight timescales involved, again businesses should plan for GDPR now, whilst the detail of UK implementation plays out over the coming months or even years.

At the heart of the GDPR is a desire to bring greater accountability and transparency to how organisations must hold personal data, as well as establishing a “one stop shop” with a common set of rules applying across the EU, a change that will benefit pharmaceutical businesses operating on a pan-European basis and beyond.

Businesses will need to consider the following key points:

Consent

Obtaining and using consent as the basis for processing will become much harder - consent will have to be informed, freely given, specific and unambiguously shown. So a ‘boiler plate’ clause perhaps hidden amongst other terms won’t work. This may have particular relevance in areas clinical trials where consent forms will need to be more specific and detailed, especially if there is a need to transfer data to the US.

Genetic and biometric data

These terms are now defined and health data continues to require particular treatment and specific requirements. Despite the aim of harmonisation, member states can legislate domestically in certain areas, including health and employment; for example an exemption for scientific research may be applied at national level. So unfortunately local data protection requirements will still vary slightly across borders - a case of watch this space for the sector.

Pseudonymised data

This is defined as ‘personal data’ and is encouraged as part of ‘privacy by design’. Where data used for a clinical trial for example has been assigned a unique ID, it must still be processed in line with the rules even if no name attaches to it. Only genuinely anonymised data that cannot be traced back to an individual at all would not be personal data.

Governance

There will be increased expectations on businesses’ governance and record keeping. Given the amount of data processed by many pharmaceutical businesses, many will have to designate a Data Protection Officer.

Privacy by design

GDPR requires businesses to understand and consider data protection in all new projects and technology and to demonstrate it has been taken into account. This has particular resonance in the pharmaceutical sector when new research projects are planned: as activity that is bound to be viewed as higher risk given the sensitive personal data involved, a privacy impact assessment will be necessary. PIAs were encouraged previously but are now baked into the law.

Individual rights

Individuals will have much greater rights, including increased rights to object to certain processing, the right to be forgotten, to have data corrected and to restrict how data is used. There are far more obligations to inform individuals where and how data will be held and used. Subject access rights will be expanded and the compliance period cut to one month.

Data processors

Currently, suppliers that process data, perhaps a payroll bureau, have very limited liability for data compliance. Under GDPR processors can be directly liable for some breaches.

Information Commissioner

The administrative burden of informing the ICO annually of a business's data processing activities and pay the fee has been removed. Although in practice the increased record-keeping obligations balance this change. Mandatory data breach notification applies to all data controllers who will usually need to inform the ICO within 72 hours of a data breach.

Related

MGC Pharma's CannEpil Arrives in the UK: A Leap Forward in Epilepsy Treatment

Speedata's APU: Transforming Big Data Analytics Across Industries

ADVANZ PHARMA Partners with Veeva to Set Unified Digital-First Commercial Foundation

Matt Hancock claims UK government came "within hours" of running out of intensive care medication during pandemic