By now you are probably familiar with the European Union (EU) General Data Protection Regulation (GDPR) that went into effect May 25, 2018. General Data Protection Regulation is designed to give people in the EU more control over their personal data and businesses a level playing field. All organizations that process information of people in the EU must ensure they are following GDPR guidelines to avoid heavy fines.

It is important to remember these key GDPR points:

  • Increased Territorial Scope:GDPR applies to all organizations that access and process personal data of anyone in the EU, regardless of where the organization is located. For example, if you are an American pharmaceutical company processing information of EU citizens, you must follow the GDPR requirements. This new regulation leaves little to no room for ambiguity.
  • Penalties Will Follow an Infringement:The new regulation poses heavy fines on those organizations that do not abide by GDPR. As a maximum penalty for more serious infringements, an organization can receive a reprimand, a temporary or definitive ban, and can be fined 20% of annual global turnaround or €20 million, depending on which amount is greater. In the case of a “likely infringement,” a warning may be issued. You can learn more about penalties here.
  • Consent Must Be Obtained: Organizations have to provide citizens of the EU a clear, concise, and eligible form to obtain consent before “opting-in” their information. EU citizens have the power to opt-out at any given time after opting-in. Data subject rights when providing direct consent include:
    • Subject’s right to access information
    • Subject’s right to be forgotten (opt-out)
    • Right to amend
    • Restriction of processing
    • Data portability
  • Data Protection Officer: Organizations must appoint a Data Protection Officer (DPO) to ensure that the organization processes the personal information of its staff, customers, providers and any other individual in compliance with GDPR.Learn more here.

You can view more GDPR points and detailed data subject rights here. How are all these changes going to affect clinical trials?

Collected data is essential to the continuation of clinical trials. Clinical trials must abide by GDPR and receive given, informed consent from participants in a study. Since “erasing” data from a clinical trial study can be detrimental to the statistical outcome of the study, Article 89 of GDPR allows the UA or member status to limit certain rights to move forward scientific research. If information does not fall into this category, it must be erased immediately. If a participant decides to leave a study, collection of any further information from that participant must cease.

Since patient information can be delicate, many past and current clinical trials already abide by the new regulations. The biggest change for clinical trials is the enhanced requirements for consent – easy to read and accessible forms. These forms must now contain the intended usage for any data collected in the study.

Working with your electronic data capture (EDC) provider to reach GDPR-compliancy

As the Processor, or data importer, we are taking the appropriate technical and organizational measures to make it easier for our clients, the Controller, or data exporters, to follow General Data Protection Regulation in their activities. For example, immediately notifying the CRO or Sponsor (the Controllers) in case of a breach. We have also taken the steps to become GDPR-compliant ourselves and keep the information of our customers safe and to standard to the new regulations. This month, we will be hosting our “Effect of GDPR on Clinical Trials and EDC Compliancy” webinar. To receive information about this webinar (or future webinars), join our mailing list here.