The new General Data Protection Regulation 2016/679/EU (GDPR) is set to come into effect throughout EU from May, 25th 2018. The new data protection rules have strengthened the protection of individuals’ personal data and threaten significant fines and penalties for everyone that is non-compliant. The new changes though are not radical, they depend on what is already in place along with the implementation of some new requirements. GDPR will apply to all organisations worldwide that are managing EU citizens’ data, and all these organisations will need to act proactively to ensure compliance.
While GDPR is believed to be an aggressive piece of regulation, it is set to improve the patient experience by introducing the Right to be Forgotten, reducing the Subject Access Request time frame and changing the Explicit Consent. GDPR aims to advance and increase the scope of the existing Data Protection Directive (DPD) but also adds new compliance requirements and raises some important questions regarding clinical trials. It is already known that the healthcare industry is already facing multiple challenges when it comes to protecting sensitive data and now, GDPR, adds the principle of accountability and strengthens the principles of transparency, data confidentiality and integrity.
Some considerations of what is about to change for companies involved in clinical trials include:
Being one of the grounds of GDPR , consent of the data subject is defined as ‘any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’. Consent must be specific to each process and should also be explicit and freely given. Furthermore, it is highlighted that consent must be as easy to withdraw as to obtain.
In the healthcare sector, where genetic, biometric and other data concerning health are processed, there is a need for appointing a data protection officer in order to monitor compliance.
These are two different terms that should clearly be defined in the protocol. GDPR defined pseudonymisation as ‘the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.’ This technique separates the directly identifying factors the processing of data.
Under the GDPR new rights are introduced including the right to erasure (or right to be forgotten) which means that “the data subject shall have the right to obtain from the controller the erasure of personal data concerning him/her without undue delay” and the right to data portability under which “the data subject shall have the right to receive the personal data concerning him or her and have the right to transmit those data to another controller”.
The Subject Access Right may already exist, however, there is an important adjustment under GDPR that allows subjects to gain access to their personal data with no cost and in an immediate way.
Under the Directive, businesses are restricted from transferring personal data to destinations outside the European Economic Area with no sufficient data protection regulations. The countries that are able to demonstrate an adequate level of data protection may be approved by the European Commission, always considering first the data protection laws effective in that specific country.
GDPR aims to establish the rights of individuals to control how their personal data are used and sets out explicit responsibilities for healthcare professionals and companies that are handling such data since they require specific consent and careful control.