For the past month or so, most e-mail inboxes have been flooded with updates on new privacy policies and data processing agreements. All credit goes to the newly applicable European Union (EU) General Data Protection Regulation, or the GDPR (Regulation (EU) 2016/679).
With the GDPR come heightened requirements on how personally identifiable information should be controlled and processed. This not only affects IT companies and organizations who process any type of personally identifiable information, but also the medical device industry.
As with any type of clinical trial, personally identifiable information and other data are collected, processed, and analyzed. In this blog, we’ll take a look at how the GPDR can affect medical device clinical operations, and what sponsors should be aware of before initiating any new clinical activities in the European Union.
The key changes in the GDPR
The GDPR was enforced on May 25th, 2018, and companies that do not comply will face heavy fines. The aim of the GDPR is to protect the rights of EU citizens by enhancing privacy and minimizing the risk of data breaches. In an increasingly data-driven world, where information sharing, machine learning, and social networking leads the way, there is a need for protecting the individual’s privacy.
The GDPR replaces the old EU Data Protection Directive 95/56/EC, which was originally designed to harmonize data privacy laws across Europe. Although the key principles from the European directive are still in focus, the GDPR brings updated policies and definitions which will impact organizations around the world.
Here are some of the key changes brought by the GDPR and listed by the eugdpr.org:
- Increased Territorial Scope (extra-territorial applicability)
- This means that the GDPR applies to all organizations processing data from data subjects (citizens) residing in the EU, not only EU based organizations.
- Organisations which fail to comply can be fined up to 4% of annual global turnover, or €20 Million (whichever is greater).
- A more clear and definite condition for acquiring consent from data subjects (citizens) to process data is needed.
- Breach Notification
- Mandatory notifications of any data breach between data controllers and processors are now enforced.
- Right to Access
- Data subjects have the right to access the personal data being processed on them from any data controller.
- Right to be Forgotten
- Data subjects have the right to request data controllers to erase their data
- Data Portability
- Data subjects have the right to request their data in a portable format, which allows one to transfer its data to another data controller.
- Privacy by Design
- Privacy and security shall now be a part of system design, not just the processes
- Data Protection Officers
- A person shall be appointed to handle the necessary internal recordkeeping requirements
Impact on clinical trial subjects
There’s no doubt that the increasing use of digital solutions, in collection and management of clinical trial data, has played a part in the need for an updated regulation. Machine learning (artificial intelligence, or AI) is also becoming popular in clinical research, which also introduces new challenges to privacy and data security.
The regulation states that a clear and documented consent must be acquired from all data subjects in order to process their information. Such consent is not new to the industry, and in most cases, a trial subject is asked to sign an informed consent before initiating any data collection.
The GDPR aims to strengthen the rights of the individual and ensure that people are better informed of how their data is processed, by whom, and to what degree they are used. As a result, medical device companies, or clinical trial sponsors, must now identify; the data to be processed, where it will be transferred to, who is processing it, what it will be used for, and which risks are involved. All of which must now be included in a separately informed consent (not the protocol-specific consent).
Under the GDPR, clinical trial data is considered “special data”, because processing of such data is necessary for both scientific and research specific purposes. Although the GDPR clearly states that subjects should have the right to erase or transfer their data, the special data category negates these rights. This is due to the fact that clinical data cannot just be removed or transferred from a dataset, without affecting the audit trail or the statistical outcome. Subjects can, however, choose to withdraw their consent to prevent any additional data collection.
Although it brings new responsibilities and requirements, many of these are not new for medical device companies or clinical research organizations. The conditions for consent have been strengthened and must now be clearly distinguishable from other matters and use plain language. But going forward, the biggest change for the industry is the additional information on how, what, and which data is processed, that must be included.
Change in operation and responsibility
According to the GDPR, sponsors or medical device manufacturers can be categorized as both a processor and a data controller. This is because a clinical trial operation includes data not only from subjects, but also personnel, sales, and sub-contractors. This means that organizations have various obligations, in terms of data processing, to make sure that requirements are in complied with according to the GDPR.
Organisations that process and manage clinical trial data must now conduct data impact assessments (DIA) on both electronic and hard copy data. A data impact assessment should cover e.g. what the data is used for, how it’s managed, and what action is needed to mitigate any risks.
One of the most crucial parts of the GDPR is the concept of anonymization and pseudonymization of data. In the GDPR, pseudonymization is defined as
“…the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information.”
As such, any pseudonymized data that can be linked to a specific trial participant using other information (like a subject ID that’s linked to a social security number) shall be considered personal data. This means that all data that is not fully anonymized, will always be considered personal data and shall be distinguished in trial protocols and consents.
Sponsors are also required to appoint a Data Protection Officer (DPO) which shall take part in managing and documenting many of the activities that surround data and information processing. In addition, the DPO will also act as the main interface to the company if there are any data breaches or inbound inquiries.
There’s a great misunderstanding surrounding the DPO paragraphs in the GDPR, where many think that such a profile will have to be hired from the outside. The fact is, that if you look into the requirements, a DPO can be a person that’s already employed in the organization, who can also be trained into the role. There is no need to hire an external DPO if the profile can be acquired in-house.
The GDPR brings new responsibilities many of which are not new to the medical device industry. But, even though informed consents and risk assessments have played a big role in clinical trials there are still new requirements that have to be taken into consideration.
It’s clear that before initiating new clinical trials in the European Union, medical device manufacturers and CRO’s will have to ensure that the regulation is complied with. This will require additional efforts from internal operations to ensure that internal policies, standards, and subcontractors that process data from data subjects, are compliant.
With the GDPR comes increased focus on transparency, security, and accountability. This will sway organizations to minimize their overall risk, to avoid the high penalties for non-compliance. As a result, companies will need solutions that can support their requirements for EU operations. It’s therefore important to identify trusted partners, and review contracts and internal policies, to ensure that future clinical trials and post-market surveillance studies are compliant.
For more information on the European Union GDPR take a look at the official website of the European Commission.
The GDPR is just one of the new European Regulation that medical device manufacturers have to adhere to. Read more in the SMART-TRIAL white paper on the European Union Medical Device Regulation.
Get in touch if you would want to find out how you can use SMART-TRIAL on your path to compliance.