How will GDPR impact Life Sciences organisations?
In just under three months, your organisation needs to be prepared to comply with a whole new set of EU data protection regulations, or face fines of up to 4% of your worldwide annual revenue.
On May 25th 2018, the long awaited GDPR (General Data Protection Regulation) comes into force and applies to any firm located in the EU or who processes personal data of EU Citizens regardless of where in the world they are located. That includes the UK, which will also adopt GDPR on May 25th, and will maintain the regulation post-Brexit, as confirmed in last year’s Queen’s Speech.
The regulation is set to disrupt businesses across the world, and provide a big data privacy boost for EU consumers, by tightening privacy legislation and implementing a consistent approach across all EU member states.
So what does that mean for the Life Sciences industry?
8 ways GDPR will impact biopharmaceutical businesses
There are 8 main components to GDPR that need to be addressed by your organisation:
Subject access requests
Under the new regulations, the time frame for dealing with subject access requests (where an individual requests a copy of their data) is reducing from 40 days to 20 days.
Additionally, individuals will now have the right to have their data provided in a readable format. For example, it is not enough to provide a link to a system- it has to be accessible in a format everyone can access (e.g Word or Excel).
Your organisation will need to halve the timeframe usually reserved for subject access requests, and ensure that any data sent is communicated in an accessible, easy-to-read format.
Transfer of data
If data is sent outside of the EU, Pharma companies need to demonstrate that controls and oversight are in place and the data is protected
A Data Transfer Agreement (DTA) is likely to be the best way to do this. In any case, companies need to inform data subjects that their data is being sent outside the EU.
Rewriting of Consent notices
Consent notices may need to be rewritten to comply with the new regulations to inform individuals where their data will be sent, how long it will be kept for and what rights individuals have for that data.
Under the new rules, consent must be freely given, informed and unambiguous. The data subject must fully understand how their data will be used and have specifically agreed to this. The consent cannot be labelled as an “agreement to all processing”, it must specify what the processing will consist of. Consent has to be verifiable, and in practice, this means if your organisation is asked, you must be able to prove consent was given to you.
The individual must also be informed of their right to withdraw their consent at any time. Additionally, where consent is required for children’s data, the notice must be written so that the child can understand it.
Pseudonomised and anonymised data
Under GDPR, pseudonomised data is still considered personal data as long as additional information which could be used to identify the data subject is kept. For instance, a list of coded names linked to real names would still be considered personal data.
On the other hand, anonymised data – where there is no linked data and absolutely no way of identifying the individual – is considered out of scope.
Trial protocols should specify which of these will apply.
Companies must now be able to demonstrate compliance. It is not enough just to say “we are compliant”. If the ICO asks, you must be able to provide evidence such as procedures, training, data mapping and consent forms.
Pharma Companies are likely to need to appoint a Data Protection Officer (DPO) who will be accountable for ensuring compliance with GDPR.
For some companies, the appointment of a DPO is mandatory under the legislation, and that individual must have appropriate knowledge and qualifications. This is applicable to your business if your core activities consist of processing operations which require regular and systematic processing of data subjects on a large scale.
Article 26 of the GDPR sets out the responsibilities and liabilities of parties as “joint controllers”.
It is imperative that both the sponsoring company and CRO understand the remit of their obligations and the potential for overlap in their respective roles, as the line between a sponsor’s responsibilities and those of the CRO can often be blurred.
The right to be forgotten
Under GDPR, all individuals have a right to request the deletion of their data or require an organisation to stop processing it. There is an exemption for data that is held for scientific research, but for that exemption to apply, your organisation would have to be able to demonstrate that the continued processing of a set of data is essential to a particular trial.
Under Article 17 of the GDPR, a trial participant can at any time request that all of their data be removed “without undue delay”.
This requirement on the sponsor as data controller would require the identification and deletion of any data, whether stored by the sponsor, CRO, hospital or any other third party.
The right to be “forgotten” cannot be waived in the consent form. Article 89 of the GDPR allows the EU or Member States to limit certain individual rights, when necessary, to enable scientific research. However, this is not intended as a loophole to collect data for other purposes.
Oversight of suppliers
Under the new legislation companies who cannot demonstrate due diligence and monitoring of their suppliers are likely to be fined.
Any breaches caused by the data processor where a controller cannot demonstrate adequate oversight will result in the fine being split between the processor and controller. It is therefore essential that Pharmaceutical organisations monitor their suppliers closely and conduct data protection due diligence.
Tackling these requirements is a lengthy but essential process. With business’s global revenue and individual accountability at stake, Life Sciences organisations have to ensure they’re fully prepared before May 25th.
Kinapse can conduct a GDPR gap analysis to help you to identify what you need to do to become compliant. We also have experience of developing Privacy Impact Assessments, Data mapping templates, Data Transfer Agreements and breach notification procedures.
Our redact360 tool can help you meet the GDPR requirements concerning anonymization of personal information as it meets the European Medicines Agency standard of there being a less than 0.1% chance of re-identification once the data has been anonymised. We can also help you perform due diligence on your suppliers.