Data protection — it’s personal! The impact and wider implications of GDPR

As we are now a couple of months in after the enforcement of GDPR, we ask Robin Kerbel, CEO and co-founder from Six Degrees Medical what the impact on the pharma sector is and what may be the wider implications of the regulation changes…

Q. Could you briefly run through General Data Protection Regulation (GDPR) and how it impacts the pharma sector?

A. GDPR applies to all organisations that provide goods and services to people in the European Union (EU). EU member states also have the ability to maintain or introduce further conditions, including limitations, regarding the processing of genetic data, biometric data or data concerning health.

The objectives of the GDPR are to harmonise data privacy laws throughout Europe, and to safeguard individuals’ privacy. The processing of personal data is only permitted when there is a clear legal basis for doing so.

It applies to Personally Identifiable Information (PII), so, a US company conducting a trial in an EU member state must adhere to all aspects of the GDPR in protecting the PII of data subjects. Similarly, trials conducted in an EU member state that will be transferred outside the European Economic Area (EEA) must be protected in accordance with the GDPR.

There are a number of rules stipulated by the EEA that data practices must adhere to, the ones listed below represent the most pressing steps for pharmaceutical companies:

• Personal data are to be kept no longer than necessary to carry out the intended purpose.
• Data processed must be up to date, adequate, relevant and not excessive in relation to the purpose of use.
• The purpose of processing cannot be altered unless a change of purpose is explicitly outlined by internal rules.
• All data subjects must have access to their data.
• Data transfers are subject to conditions depending on the status of the recipient.
• Data controllers must notify the EEA of their processing operations.

Q. What may be the biggest area within pharma that is affected by the GDPR change?

Clinical trial sponsors must carry out a Data Protection Impact Assessment (DPIA), which includes:

• A description of the processing operations and purpose of processing.

• An assessment of the necessity and proportionality of the processing.
• An assessment of any risks to the rights and freedoms of subjects.
• The measures in place to protect those risks.

The DPIA is less a matter of capturing the exact information being processed, and more a matter of recording all the reasons for processing, and the measures being taken to prevent the risk of breach.

Q. If there is a data breach or a company is deemed to not be compliant with the regulation, what are the steps that should be taken to manage the situation/become compliant?

A. Most importantly, organisations conducting clinical trials must be maintaining proper documentation from the very beginning. In the event of a breach, the controller must report it to the authorities no later than 72 hours following the discovery of the breach. They will be required to supply documentation as evidence of the responsible handling of all processing, and attempts at mitigating risk.

Q. What proactive steps can be taken by companies to ensure they are prepared for future regulatory changes and enforcement of these changes?

Given the wide-reaching scale of the data protection initiatives taking place across the globe, many organisations have begun partnering with consultants who have an in-depth knowledge and continuing eye on upcoming legislative changes. Data protection is a unique knowledge set that requires focus. Delegating the responsibility of data protection assurance to a specific individual or team (whether internal or third party) is key to ensuring that it remains a priority.

Q. We will see stricter guidelines for personal data protection globally?

A. To a certain extent, the GDPR has already affected global change. Companies conducting any level of processing on the data of subjects in the EU must still abide by the regulations, regardless of their country of origin. Further, as the media continues its focus on privacy risks, citizens will likely continue to press for greater enforcement of data protection laws.