• SKIP TO CONTENT
  • SKIP NAVIGATION
  • Patient Resources
    • Clinical Trial Listings
    • What are Clinical Trials?
    • Become a Clinical Trial Volunteer
    • Useful Resources
    • FDA Approved Drugs
  • Professional Resources
    • Research Center Profiles
    • Market Research
    • Benchmark Reports
    • FDA Approved Drugs
    • Training Guides
    • Books
    • eLearning
    • Events
    • Newsletters
    • White Papers
    • SOPs
  • White Papers
  • Clinical Trial Listings
  • Advertise
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Home » EU’s Privacy Rule Impacts Sites, Sponsors Globally

EU’s Privacy Rule Impacts Sites, Sponsors Globally

April 8, 2019
Gienna Shaw

The European Union’s new data privacy rules have consequences for clinical research around the world and sorting out how and when they apply is no simple task.

When the EU revised its General Data Protection Regulation (GDPR) in 2018, it broadened the rule’s scope to include processing of personal data by any entity represented — but not necessarily located — in the European Economic Area and any research subject located in — but not necessarily a citizen of — any EU country.

So how do U.S.-based researchers navigate the rule to avoid regulatory investigations and harsh penalties that can run as high as €20M?

“It’s a little bit challenging to look at activities and data processing and to figure out ‘does this apply to me?’” said attorney Melissa Markey of Hall, Render, Killian, Heath & Lyman at a recent MAGI-sponsored webinar.

The first step is to determine whether your sponsor, CRO or trial site meets one of three criteria:

  • Established in the EEA and acting as a data controller or processor;
  • Not established in the EEA but offers goods or services to data subjects located in the EEA; or
  • Not established in the EEA but monitors the behavior of data subjects located in the EEA.

If a U.S.-based university has a campus or a pharmaceutical company has an affiliate in the EEA, for example, the rule applies regardless of whether or not the data processing takes place there.

Subjects’ citizenship doesn’t matter, either. If a subject is physically located in the EEA, that subject’s personal data falls under GDPR. On the other hand, collecting data from EU residents while they’re in the U.S. circumvents the GDPR, unless the organization has ties to or affiliates in the EU.

And determining what constitutes personal data under GDPR can be even trickier, Markey said.

Under the rule, personal data is defined as “any information relating to an identified or identifiable natural person … who can be identified directly or indirectly.” That goes beyond identifiers such as names to include identification numbers, location data and factors such as physical, physiological, genetic, mental, economic, cultural or social identity. Even trade union membership is considered personal data, under GDPR.

“If you think through that list, that’s an incredibly broad list of people,” said Markey. “As a result, it’s really hard to have any information about a person and not have it be identifiable data,” Markey said.

Of course, medical research would come to a grinding halt if researchers couldn’t use personal health data. So there are exceptions, said David Peloquin of Ropes & Gray LLC, but there must be a legal basis to support the processing.

One legal basis stands out — when the data subject has given consent. But while that seems easy to defend, in fact it’s not as simple as it sounds. GDPR doesn’t favor that option. Subjects may have a disease or condition and hope an experimental drug will help them, for example. In that case, consent is often considered not freely given, Peloquin said.

There are many other administrative obligations under GDPR. For example, the regulations call for research entities to appoint a data protection officer under some circumstances, such as when core activities require regular and systematic monitoring of data subjects on a large scale or core activities consist of processing on a large scale of special categories of personal data, which is often the case in clinical research.

Organizations also may be required to appoint a representative in the EEA to serve as a legal representative for clinical trials. Organizations must report data breaches, of course, within 72 hours of learning of the breach. Finally, controllers and processors must conduct a data protection impact assessment when the processing uses new technology or is likely to result in a “high risk to the rights and freedoms of subjects,” Peloquin said.

Creating a centralized process to coordinate all GDPR compliance factors is critical, according to Cerdi Beltre, senior vice president of institutional services for WIRB-Copernicus Group. The process should focus on three main areas: 1) the location of operations, 2) the role of the university/researchers and 3) the location of research subjects.

“Whether it is tied to the institutional approval process or an appendage of the ethical review process may not matter provided that, as an entity, you are aware of when you must adhere to the obligations under GDPR.”

Markey and Peloquin will speak on GDPR and other data privacy regulations at the MAGI 2019 East conference in May: https://bit.ly/2AYxqbC.

To listen to the full webinar, click here: https://bit.ly/2G22o5w.

    Upcoming Events

    • 14Apr

      MAGI 2024: The Clinical Research Conference

    Featured Products

    • Surviving an FDA GCP Inspection

      Surviving an FDA GCP Inspection: Resources for Investigators, Sponsors, CROs and IRBs

    • Best Practices for Clinical Trial Site Management

      Best Practices for Clinical Trial Site Management

    Featured Stories

    • Jonathan Seltzer

      Thought Leadership: Remote Patient Monitoring Gives New View of Safety in Cardiac Clinical Trials

    • Quality_Compass-360x240.png

      Ask the Experts: Applying Quality by Design to Protocols

    • Obesity Treatment Patient

      Clinical Trials Need Greater Representation of Obese Patients, Experts Say

    • Modernize-360x240.png

      FDA IT Modernization Plan Prioritizes Data-Sharing, AI, Collaboration and More

    Standard Operating Procedures for Risk-Based Monitoring of Clinical Trials

    The information you need to adapt your monitoring plan to changing times.

    Learn More Here
    • About Us
    • Contact Us
    • Privacy Policy
    • Do Not Sell or Share My Data

    Footer Logo

    300 N. Washington St., Suite 200, Falls Church, VA 22046, USA

    Phone 703.538.7600 – Toll free 888.838.5578

    Copyright © 2023. All Rights Reserved. Design, CMS, Hosting & Web Development :: ePublishing