The European Union’s new data privacy rules have consequences for clinical research around the world and sorting out how and when they apply is no simple task.

When the EU revised its General Data Protection Regulation (GDPR) in 2018, it broadened the rule’s scope to include processing of personal data by any entity represented — but not necessarily located — in the European Economic Area and any research subject located in — but not necessarily a citizen of — any EU country.

So how do U.S.-based researchers navigate the rule to avoid regulatory investigations and harsh penalties that can run as high as €20M?

“It’s a little bit challenging to look at activities and data processing and to figure out ‘does this apply to me?’” said attorney Melissa Markey of Hall, Render, Killian, Heath & Lyman at a recent MAGI-sponsored webinar.

The first step is to determine whether your sponsor, CRO or trial site meets one of three criteria:

• Established in the EEA and acting as a data controller or processor;
• Not established in the EEA but offers goods or services to data subjects located in the EEA; or
• Not established in the EEA but monitors the behavior of data subjects located in the EEA.

If a U.S.-based university has a campus or a pharmaceutical company has an affiliate in the EEA, for example, the rule applies regardless of whether or not the data processing takes place there.

Subjects’ citizenship doesn’t matter, either. If a subject is physically located in the EEA, that subject’s personal data falls under GDPR. On the other hand, collecting data from EU residents while they’re in the U.S. circumvents the GDPR, unless the organization has ties to or affiliates in the EU.

And determining what constitutes personal data under GDPR can be even trickier, Markey said.

Under the rule, personal data is defined as “any information relating to an identified or identifiable natural person … who can be identified directly or indirectly.” That goes beyond identifiers such as names to include identification numbers, location data and factors such as physical, physiological, genetic, mental, economic, cultural or social identity. Even trade union membership is considered personal data, under GDPR.

“If you think through that list, that’s an incredibly broad list of people,” said Markey. “As a result, it’s really hard to have any information about a person and not have it be identifiable data,” Markey said.

Of course, medical research would come to a grinding halt if researchers couldn’t use personal health data. So there are exceptions, said David Peloquin of Ropes & Gray LLC, but there must be a legal basis to support the processing.

One legal basis stands out — when the data subject has given consent. But while that seems easy to defend, in fact it’s not as simple as it sounds. GDPR doesn’t favor that option. Subjects may have a disease or condition and hope an experimental drug will help them, for example. In that case, consent is often considered not freely given, Peloquin said.

There are many other administrative obligations under GDPR. For example, the regulations call for research entities to appoint a data protection officer under some circumstances, such as when core activities require regular and systematic monitoring of data subjects on a large scale or core activities consist of processing on a large scale of special categories of personal data, which is often the case in clinical research.

Organizations also may be required to appoint a representative in the EEA to serve as a legal representative for clinical trials. Organizations must report data breaches, of course, within 72 hours of learning of the breach. Finally, controllers and processors must conduct a data protection impact assessment when the processing uses new technology or is likely to result in a “high risk to the rights and freedoms of subjects,” Peloquin said.

Creating a centralized process to coordinate all GDPR compliance factors is critical, according to Cerdi Beltre, senior vice president of institutional services for WIRB-Copernicus Group. The process should focus on three main areas: 1) the location of operations, 2) the role of the university/researchers and 3) the location of research subjects.

“Whether it is tied to the institutional approval process or an appendage of the ethical review process may not matter provided that, as an entity, you are aware of when you must adhere to the obligations under GDPR.”

Markey and Peloquin will speak on GDPR and other data privacy regulations at the MAGI 2019 East conference in May: https://bit.ly/2AYxqbC.

To listen to the full webinar, click here: https://bit.ly/2G22o5w.