GDPR: What is it and what does it mean for your clinical studies: Part I
This two-part blog serves to summarize the Medical Device and Diagnostic Solution’s research on General Data Privacy Regulation (GDPR) compliance for medical device sponsors. It does not serve as legal advice; it is a summary of information gleaned by our Medical Device and Diagnostic Solutions through a review of the GDPR itself and publicly available resources on current interpretations of GDPR compliance. The Medical Device and Diagnostic Solutions recommends that sponsors obtain legal counsel on this important topic.
In part 1 of this blog, we will discuss the background of GDPR and key elements for sponsor consideration. In part 2, we will discuss specific GDPR requirements, including new terms with specific definitions, implications for clinical researchers and sponsors and required elements to include in GDPR-compliant informed consent forms (ICFs).
Background
The new GDPR went into effect in the European Union (EU) on May 25, 2018. This broad legislation covers many aspects of personal information protection and confidentiality but information and guidance on its application to clinical research are very limited; clinical trials are only mentioned twice in the regulation. Although the regulation is specific to the EU member countries, the United Kingdom (UK) will remain impacted by GDPR requirements, even upon exit from the EU. At that time, the UK will become a ‘third country’ along with other non-EU countries.
GDPR and Clinical Trials
The previous EU privacy law, EU Directive 95/46/EC, has been superseded by GDPR. GDPR is intended to harmonize data privacy laws across the EU and to protect the privacy of all individuals while they are in the EU. GDPR is extra-territorial, meaning it applies to any organization that collects or processes personal data of individuals inside the EU, regardless of where the organization collecting or processing is located. GDPR covers EU residents and non-residents residing in or visiting the EU if their study data are collected while they are in the EU.
A U.S. study subject travels to the EU and is wearing an activity monitor; if activity monitor data are collected while the subject is in the EU, the subject must have given GDPR-compliant consent for the sponsor to collect those data.
GDPR-covered data are now broader than personal information coverage under previous legislation and include genetic and biometric data. Under GDPR, certain information must be provided to individuals before their personal data are obtained, such as the identity and contact details of the data controller (i.e., the sponsor), the contact details of the data protection officer (the designated person within the sponsor organization), the purposes and legal basis for data processing, the recipients of the data, how long the data will be stored and the individual’s rights under the legislation. Children at least 16 years old can provide consent under GDPR, but if under 16 years old, consent must be granted by the holder of parental responsibility over the child.
Consequences
Failure to comply with GDPR has significant consequences. Heavy fines of up to 4% of a sponsor’s global revenue can be assessed depending on the scope of the violation. Having a well-defined privacy policy in place to ensure GDPR compliance is critical to preventing violations and potential heavy fines.
Recommendations
Our Medical Device and Diagnostic Solutions recommends that sponsors develop a privacy policy that specifically addresses GDPR compliance. Any study conducted in the EU, or any study that collects information while a subject is in the EU, is governed by GDPR. Detailed data privacy information must be provided to study participants for GDPR-compliant studies from the very beginning. To ensure subjects receive all of the required GDPR information, Medical Device and Diagnostic Solutions recommends that the information be included in the informed consent form (ICF) unless otherwise specified by a site’s Ethics Committee (EC) or the sponsor’s Competent Authority (CA).
In our next blog, we’ll explore new GDPR terminology and critical elements to include in GDPR-compliant informed consent forms.
The Medical Device and Diagnostic Solutions consultants are available to help you navigate GDPR.