The European Union (EU) General Data Protection Regulation (GDPR) is set to become enforceable in just over a month, which is causing new work for those in clinical research, and carrying with it a brutal fine for noncompliance.
“The data are the blood of clinical research, so we’ve got to make sure our processes and policies are in place for this,” said Mark Barnes, partner at the law firm Ropes & Gray, as well as co-director of the Multi-Regional Clinical Trials Center of Harvard University and Brigham and Women’s Hospital, and a lecturer at Yale Law School.
The new regulations standardize and strengthen the protection of personal data across the EU and for data from other countries being processed within the EU. The rule, Regulation (EU) 2016/679, replaces the Data Protection Directive 95/46/EC, which mandated that individual European countries handle data privacy themselves. Come May 25, they will all have to follow the new rule, which expands the definition of personal data to include any information that could be used to identify a person.
What will research sector companies need to change? They’re going to have to identify the data that is being processed, where it is transferred to, who is processing it, what it is used for, any risks and processes it may undergo and make sure all employees and vendors are trained.
Within GDPR, controls around consent have been tightened, stating that any request for consent must be given in a clear, intelligible easily-accessible form, and that the purpose for data processing must be connected to that consent. In addition, a study subject must be able to tell what material constitutes consent versus any other documents they are given. Consent must use simple language, and GDPR dictates that it must be as easy to withdraw consent as it is to give it.
There’s also the complicated issue of “the right to be forgotten,” which is part of GDPR and centers on study subjects who decide they want their data removed from a study. This conflicts with the expectation under good clinical practice (GCP) that data about a subject be kept even after they say they no longer want to participate in a study, as well as guidance from the FDA and from Europe that now dictates that researchers keep the data up until that point, said David Forster, chief compliance officer for WIRB-Copernicus Group.
Under GDPR, said Forster, when these issues come up, the expectation is that there will be a weighing of the value of the information for public interest versus the subject’s right to be forgotten.
“Theoretically, that scientific purpose should have enough weight to rule against the right to disappear,” said Forster, who added that if people can pull their data, those working in research fear that data for that trial can become skewed.
Though the rule — passed in 2016 — now will apply only to citizens of the EU, so many international companies have work there, the GDPR has the potential to become the de facto worldwide regulation that covers data privacy, said Forster.
To be ready for GDPR by May 25, Barnes said those working in clinical research that touches EU residents must:
“All of those things have to be accommodated in the way we plan and conduct our studies, and that means this directly affects the clinical trial document, the protocol, the clinical trial agreement with the sites, the informed consent forms and the internal SOPs in our companies and of academic medical centers in the U.S. that are sponsoring research or doing research within the 31 countries that are affected by the GDPR,” said Barnes. “I think a lot of the universe has just now begun to wake up to what needs to be done. The affect is going to be profound.”
GDPR rules don’t just apply to those conducting clinical trials, but also their employees, customers and subcontractors. Thus, clinical trial companies will have obligations to make sure rules are in place and followed throughout the various reaches of the trial they’ve sponsored. To that end, said Forster, many in the field are rewriting contracts with vendors to make sure vendors understand the importance of reporting any and all possible GDPR breaches to the contracting company.
And the fines are potentially colossal — up to four percent of annual global revenue or €20 million, whichever is higher.
“The fines are significant and that’s why everybody is so worried about this,” said Forster. “This is terrifying for larger companies.”
That’s the bad news.
The good news is that enforcers of the new regulation are much more likely to focus on technology giants for the next year than on clinical research.
“I think the first wave of enforcement is going to be Facebook, Google, Microsoft, Apple — the large technology firms that are already the focus of compliance concerns,” said Barnes, predicting that it may take a year or two for EU authorities to turn their attentions to biomedical research and the flow of data into and out of European countries.