Mary Kay Sobcinski, Sr. Clinical Principal Advisor
In part 1 of this blog, we will discuss the background of GDPR and key elements for sponsor consideration. In part 2, we’ll discuss specific requirements, including new terms with specific definitions, implications for clinical researchers and sponsors, and required elements to include in GDPR-compliant informed consent forms (ICFs).
Background
The new GDPR went into effect in the European Union (EU) on May 25, 2018. This broad legislation covers many aspects of personal information protection and confidentiality but information and guidance on its application to clinical research are very limited. Remarkably, clinical trials are only mentioned twice in the regulation. Although the regulation is specific to the EU member countries, it is expected that Great Britain will follow or adopt GDPR requirements, even if it exits the EU as planned.
GDPR and Clinical Trials
The previous EU privacy law, EU Directive 95/46/EC, has been superseded by GDPR. GDPR is intended to harmonize data privacy laws across the EU and to protect the privacy of all individuals while they are in the EU. This regulation is extra-territorial, meaning it applies to any organization that collects or processes personal data of individuals inside the EU, regardless of where the organization collecting or processing is located. Further, GDPR covers EU residents and non-residents residing in or visiting the EU if their study data are collected while they are in the EU.
A US study subject travels to the EU and is wearing an activity monitor; if activity monitor data are collected while the subject is in the EU, the subject must have given GDPR-compliant consent for the sponsor to collect those data.
GDPR-covered data are now broader than personal information coverage under previous legislation and include genetic and biometric data. Under GDPR, certain information must be provided to individuals before their personal data are obtained, such as the identity and contact details of the data controller (i.e. the sponsor), the contact details of the data protection officer (the designated person within the sponsor organization), the purposes and legal basis for data processing, the recipients of the data, how long the data will be stored, and the individual’s rights under the legislation. Children at least 16 years old can provide consent under GDPR, but if under 16 years old, consent must be granted by the holder of parental responsibility over the child.
Consequences
Failure to comply with GDPR has significant consequences. Heavy fines of up to 4% of a sponsor’s global revenue can be assessed depending on the scope of the violation. Therefore, having a well-defined privacy policy in place to ensure GDPR compliance is critical to preventing violations and potential heavy fines.
Recommendations
RCRI recommends that sponsors develop a privacy policy that specifically addresses GDPR compliance because any study conducted in the EU, or any study that collects information while a subject is in the EU, is governed by GDPR. Detailed data privacy information must be provided to study participants for GDPR-compliant studies from the very beginning. To ensure subjects receive all of the required GDPR information, include the information in the informed consent form (ICF) unless otherwise specified by a site’s Ethics Committee (EC) or the sponsor’s Competent Authority (CA).
In our next blog, we’ll explore new GDPR terminology and critical elements to include in GDPR-compliant informed consent forms.
RCRI consultants are available to help you navigate the uncharted waters of GDPR. To be put in touch with an RCRI expert, contact Samantha Spence at sspence@rcri-inc.com or 952-224-2260.
References
Advarra Regulatory The GDPR and its impact on the clinical research community (including non-EU researchers). Advarra. https://www.advarra.com/the-gdpr-and-its-impact-on- the-clinical-research-community-including-non-eu-researchers/ Accessed 31 Jul 2018.Clinical Trial General
Data Protection Regulation: the impact on clinical trials and data subjects. http://www.clinicaltrialsarena.com/uncategorized/general-data-protection-regulation-the- impact-on-clinical-trials-and-data-subjects-5937623-2/ Accessed 31 Jul 2018.
General Data Protection Regulation (GDPR): https://gdpr-info.eu/ Accessed 31 Jul
Gogates How does GDPR affect clinical trials? Applied Clinical Trials. http://www.appliedclinicaltrialsonline.com/how-does-gdpr-affect-clinical-trials Accessed 31 Jul 2018.
Kirsch Howe GDPR affects personal data use in in clinical trials. MassDevice. https://www.massdevice.com/how-gdpr-affects-personal-data-use-in-clinical-trials/ Accessed 31 Jul 2018.
LMK Clinical Research. Is your TMF ready for GDPR? Part two: know your http://www.lmkclinicalresearch.com/blogs/tmf-ready-for-gdpr-part-two/ Accessed 31 Jul 2018.
Proffitt What Europe’s new privacy regulations mean for US trials. Clinical Informatics News. http://www.clinicalinformaticsnews.com/2017/10/24/what-europes-new-privacy-regulations- means-for-us-trials.aspx Accessed 31 Jul 2018.
This two-part blog serves to summarize RCRI’s research on General Data Privacy Regulation (GDPR) compliance for medical device sponsors. It does not serve as legal advice; it is a summary of information gleaned by RCRI through a review of the GDPR itself and publically available resources on current interpretations of GDPR compliance. RCRI recommends that sponsors obtain legal counsel on this very new and evolving clinical research topic.
