This week, effective May 25th, 2018 the General Data Protection Regulation (GDPR) will be valid in the European Union (EU). This regulation harmonizes data privacy laws across Europe and replaces the current data protection directive 95/46 EC. The GDPR is a complex piece of legislation comprising 11 chapters, 99 articles and 173 recitals. The aim of the GDPR is the protection of the data privacy of each individual (data subject). In short, the protection against abusive data processing, the protection of the right to informational self-determination, the protection of personal rights in data processing, as well as privacy protection must be ensured to be compliant with GDPR.
The following article summarizes the key points in GDPR and gives an overview on how to manage data privacy compliance after May 25th, 2018.
General Data Protection Regulation
Firstly, the definition of personal data is now much broader. GDPR defines personal data as “any information relating to an identified or identifiable natural person (data subject)”. A data subject “can be identified, directly or indirectly, in particular by reference to an identifier”. Identifiers include, for example: name, identification number, location data, online identifier, factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity. Personal data also includes sensitive personal information (SPI) which are “data revealing racial or ethnic background, political opinions, religious or philosophical beliefs, health, sexual health, criminal records”.
This is where we can see the first big change in the data privacy regulation: the territorial scope of the GDPR. The GDPR is not only effective for organizations within the EU but also for any organization worldwide which is processing personal data of data subjects who are EU-citizens. Furthermore, it does not matter if the data are processed within or outside of EU. EU and Non-EU-based companies, which process personal data from EU-residents must be compliant with GDPR. Data processing means “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means”. In general, there is a differentiation by GDPR between data controller and data processor. Both can be legal persons, a public authority, agency or another body. The data controller “determines the purposes and means of the processing of personal data”, whereby the data processor “processes personal data on behalf of the controller”. For example, a pharma company is offering tailored therapy for patients in hospitals. The hospital (data controller) must transmit patient information to the pharma company (data processor) with the purpose to produce tailored therapy.
Consent is king: Concerning Data Processing GDPR demands consent, which must be given by the data subject through an easily understandable and accessible form. The agreement must be clear and distinguishable, using clear and plain language. The withdrawing of consent must also be as easy and simple as it is to give it. For example, a website must ask consent to share data of a data subject with a brand for product offers. Especially, the data privacy of children is more strongly protected due to the GDPR. Parental consent is required for the processing of personal data of children under the age of 16.
The handling of personal data breaches is another important topic discussed in GDPR. A personal data breach is defined as a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed”. In case of a data breach, the organization must react quickly. A breach notification must be sent out within 72 hours of becoming aware of the breach and processors must notify their customers straight away.
Other significant changes in the GDPR are the right to be forgotten as well as the right to access. The right to be forgotten entitles the data subject to have the data controller erase his/her personal data, to cease further dissemination of the data and to potentially have third parties halt processing of the data. The right to access allows the data subject to obtain information if, where and for what purpose his/her personal data is being processed. The data controller shall provide a copy of the personal data, free of charge in an electronic format.
Data portability means the right for a data subject to receive the personal data concerning them, which they have previously provided in a “commonly used and machine-readable format” and to transmit that data to another controller. The data subject can decide anytime when and where he/she wants to transfer his/her personal data.
GDPR isn’t just about identifying and securing data. Rather, Privacy by Design requires the full participation of stakeholders across the organization. Privacy by Design means organizations need to consider privacy at the initial design stages and throughout the complete development process of new digital products, processes or services that involve processing personal data. It should be considered first about which personal data is to be used, for which purpose and how this will be done legitimately. Further, the development shall be validated against data privacy requirements before implementing it in production.
Finally, Data Protection Officers (DPO) must be appointed in many organizations to “guarantee the integrity of personal data” and to “prevent any violation of the GDPR obligations”. The DPO must inform and advise organizations on data protection, monitor data management and processing, assess the impact of protection and level of risk, notify data subjects of breaches and cooperate with supervisory authority. Non-compliance with GDPR will cause heavy penalties of up to 4 % of annual global turnover or €20 Million (whichever is greater).
GDPR in the Health Care Industry
Especially for health care, pharmaceutical and medical device companies as well as Clinical Research Organizations (CROs) managing patient data are subject to GDPR. Any business subject to GDPR compliance must protect and manage personal data held with regards to employees, suppliers, clinical trial subjects and consumers such as: Data held in consumer/management systems, patient databases, employee HR files such as addresses (including email addresses), banking/ payment card data, dates of birth, medical records/medical screening forms, questionnaires, medical consent forms, consumer contact/communications records or supplier personnel data. The daily business in pharma and the medical industry is in a large part based on the collection, sharing and usage of sensitive personal information (SPI). In GDPR there are three terms defined as SPIs that specifically affect the healthcare industry:
- Data Concerning Health: “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status”
- Genetic Data: “personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question”
- Biometric Data: “personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data”
Processing of this type of sensitive personal information is prohibited unless specific conditions defined in Article 9(2) of the GDPR apply e.g.:
- If the data subject has given “explicit consent” to the processing
- If “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services […]”
- If “processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices […]”
As mentioned above, according to GDPR, consent must be given for processing personal data, which is one of the biggest challenges facing pharma and medical companies. For SPI, it is likely to require the most obvious and strongest forms of consent such as a checked boxed in agreement or a declaratory statement. The consent must be informed, freely given and specific. Especially, the secondary use of clinical data is inhibited by this specificity and renewed consent must be given for every further use of clinical data in the pharmaceutical and medical industry.
A data processing agreement is a must if personal data are shared with a third party, for example, a pharma company (data processor) working closely with a hospital (data controller) and patient data must be shared. In this agreement according to article 28 of GDPR the processor must sign, among other things, that he/she has adequate information security in place, must not use sub-processors without consent of the controller, must not use sub-processors that cannot demonstrate compliance with the provisions of the GDPR, must keep records of all processing activities, must delete/return all personal data at the end of the contract at the choice of the controller, must report data breaches to the controller without delay etc.
Furthermore, companies must organize all their personal data in a register. The register must identify which jurisdiction the data is held in as well as why and how long the data will be stored. The company must show a concept for deletion of data and how it can provide a full and correct set of all records of an individual if requested.
The anonymization and de-identification of clinical data for example collected via electronic case report forms (eCRF) is another challenge for CROs. All patient sensitive data or any data that could identify a patient, should be redacted. Also, the transmission of non-CRF data like lab results from medical analysis is concerned by the new GDPR.
Considering the sensitivity of the data handled in the medical and pharmaceutical industry, a top priority must be the protection of security and privacy of personal information. Data breaches will be fined heavily, but probably the ethical violation will be even worse, especially for the reputation of an affected company. In order to achieve compliance with data integrity and data privacy issues according to GDPR, project teams should be set up in companies and organizations to work on this topic. A legal counsel should be consulted as an expert for the extensive GDPR rules. And as always, the company culture concerning data privacy protection is most important and should be spread beyond CROs, managers and every other employee.
Conclusion and Outlook
Data- „the new oil“: The GDPR was developed with a focus on social networks and cloud providers, concentrating on data storage, processing and sharing in the age of „Big Data“. The EU have had several regulations in the past, such as the Data Protection Directive (1995), but these rules were not fit for purpose in the digital age when businesses and processes are primarily electronic. In the past, there was no consistent interpretation of the Data Protection Directive, leading to individual handling in the different EU countries. For a better control of our personal data and a prevention of being a “transparent human“ in a “surveillance society“ the GDPR and its harmonization of rules across Europe are in general wise and necessary.
Of course, the implementation of GDPR as well as consistently complying with the new EU regulation is not easy and does not make sense for every field. For small and medium businesses GDPR implementation is often not practical. Therefore, some countries, such as Germany are thinking about a last minute`s change because the economy and associations have criticized the GDPR. Especially, start-ups and small and medium pharma and eHealth companies, as well as doctors, complain about the immense administrative barriers. The use of WhatsApp on business mobile phones for example, which is common in hospitals and for doctors, is critical, because WhatsApp is collecting the data of all mobile phone contacts and sharing them with Facebook. According to the new GDPR, consent of every contact must be given for this type of data transfer and storage, which is indeed neither practical nor realistic. Another challenge is the collection of personal data in customer relationship management (CRM) systems. For example, transferring the personal data of a client from its business card to the CRM-system needs consent of the client. German chancellor Angela Merkel talks about an “excessive demand“ and will discuss about the implementation of GDPR. “Data sovereignty is important, but the regulation should not make data handling impractical. In addition, big data is a significant economic factor.“ Angela Merkel has said that even if an individual government has no power to change the GDPR, because the regulation is applicable EU law, that takes precedence over national laws. Certainly, small companies or start-ups will face considerable difficulties to be compliant with GDPR, while the big data processing companies like Google or Facebook will have the skills, the person-power as well as the resources to implement the regulation and to get the consent needed for continuing their business.
Not only are the companies and organizations which must achieve compliance with GDPR overstrained, but also the Data Privacy Agencies do not have the competences and financial resources to deal with the realization and consequences of the new regulation. In a survey, in which 24 authorities across the 28 nation-bloc responded, 17 authorities said they did not yet have the necessary funding to fulfill their GDPR duties. Many governments must update their laws to include the Europe-wide legislation, which will take some months after GDPR takes effect on May 25th, 2018 which results in watchdogs lacking power. It remains to be seen how the GDPR is enforced, whether the priority of the authorities will be in the education and explaining of GDPR to companies and organizations, or in punishment of violations against GDPR.
Despite of all the paper chase, complications and complaints, the GDPR and its legal validity are wise to make companies and organizations think about data privacy rules and accept its importance in our digital society. Especially in times where Facebook abused the private data of 87 million users in the Cambridge Analytica data scandal, the right of each individual to data integrity and data privacy must be protected and impressed upon everyone.
At the beginning it will be most important to show the watchdogs that you have given thought to data privacy and how to handle and implement GDPR in your company or organization. Demonstrating to the agency that you accept the importance of data privacy and that you have already established a concept for data collection, storage and management, for example, a CRM-system adjusted to GDPR requirements, data flow charts, internal and external data privacy policies, data privacy statements on your company homepage etc. will be the first step on the way to compliance with GDPR.
Author: Dr. Anna-Lena Hürter, Life Science Consultant