General Data Protection Regulation (GDPR)

What is the GDPR ?

Companies were compelled to overhaul their data protection and privacy measures to adhere to it or risk facing substantial penalties.

While it was formally "established" in 2016, there was a two-year transition period provided for organizations to modify any necessary policies to achieve compliance. The regulation was fully implemented in May 2018.

Europe has consistently been at the forefront of data protection. Its privacy laws have a history spanning 70 years. Prior to the GDPR, the European Convention on Human Rights of 1950 recognized Europeans' privacy rights. This Convention was a catalyst for embedding the right to privacy in legal terms.

Before the advent of GDPR, the EU Data Protection Directive was the guiding principle for data privacy. However, it was introduced in 1995, a time when data collection wasn't as extensive as today and before the digital commerce era left user data footprints that marketers could trace online.

By 2012, the European Parliament acknowledged that the Directive was inadequate. The rapid surge in data collection by websites and the inconsistent privacy laws among the then-28 member states were perplexing and lacked robustness. This led to the drafting of a regulation, the most potent legal instrument in the EU.

In essence, if an entity gathers, utilizes, or retains personal data of EU residents, irrespective of the processing location, it falls under the purview of this regulation.

GDPR requirements, scope and definitions

While the GDPR originates from the EU, its scope isn't limited to just EU-based businesses. It possesses what is termed as 'extraterritorial scope.' This implies that even if a business isn't functioning within the EU boundaries, like a U.S.-based company, but caters to EU clientele, it is bound by the GDPR. Furthermore, the GDPR mandated that EU member nations enact local laws that align closely with the GDPR's stipulations.

The primary objective of the GDPR is to safeguard the privacy of individuals, referred to in the legislation as "data subjects," while also facilitating the operations of businesses that depend on data. To maintain this equilibrium, the GDPR introduced several novel data protection concepts, such as:

  • Broader categorizations of "personal data" and "sensitive data."
  • Principles of data protection integrated into technology and operational designs.
  • Measures to ensure accountability.
  • Enhanced rights for data subjects, encompassing the right to erasure and the right to challenge automated data processing.
  • Guidelines concerning data breach notifications.
  • Moreover, the partners of companies aren't exempted. If you handle data for a company that serves EU residents, adherence to the GDPR is mandatory.

What are the potential sanctions if a a company does not comply with the GDPR ?

Non-compliance with the General Data Protection Regulation (GDPR) can result in significant sanctions for companies. The GDPR has set out a tiered approach to penalties, and the severity of the fine depends on the nature and gravity of the breach. Here are the potential sanctions:

Administrative Fines:

Lower Tier Fine: Up to €10 million or 2% of the company's total worldwide annual turnover of the preceding financial year, whichever is higher. This fine is applicable for less severe infringements, such as:

Not having records in order.
Not notifying the supervising authority and data subject about a breach.
Not conducting an impact assessment.

Upper Tier Fine: Up to €20 million or 4% of the company's total worldwide annual turnover of the preceding financial year, whichever is higher. This fine is for more severe infringements, including:

Violating the core principles of processing, including conditions for consent.
Infringing upon the data subjects' rights.

Transferring personal data to a recipient in a third country or an international organization that doesn't ensure an adequate level of data protection.

Reputational Damage: Beyond the financial penalties, companies that fail to comply with the GDPR can suffer significant reputational harm. This can lead to a loss of trust among customers and clients, potentially impacting business relationships and revenues.

Legal Actions: Data subjects have the right to seek judicial remedies against data controllers and processors. They can also claim compensation for damages resulting from GDPR violations.

Corrective Measures: Data protection authorities can impose corrective measures on non-compliant organizations. These can include:

Issuing warnings or reprimands.
Ordering the company to comply with data subject requests (e.g., data access or erasure).
Imposing a temporary or permanent ban on data processing.
Ordering the rectification or erasure of personal data.
Suspending data transfers to certain countries or organizations.

Audits: Non-compliant companies might be subjected to periodic data protection audits to ensure they adhere to GDPR provisions in the future.

Loss of Certification: If a company has received a GDPR certification or code of conduct, non-compliance can lead to its revocation.

It's worth noting that when determining the amount of the fine, data protection authorities consider several factors, including the nature, gravity, and duration of the infringement, the number of data subjects affected, the level of damage, any previous infringements, and whether the violation was intentional or negligent.

How does a company in the life sciences sector adhere to the seven core principles of the GDPR?

The GDPR outlines seven core principles that organizations are required to adhere to. These principles include:

  1. Lawfulness, Fairness, and Transparency: Data processing should be lawful, ensure fair treatment of data subjects, and be carried out transparently.
  2. Purpose Limitation: Organizations should process data solely for well-defined and legitimate purposes, which must be clearly communicated to data subjects prior to data collection.
  3. Data Minimization: Only the essential data required for a specific purpose should be collected and used. Access to personal data should be restricted to employees who need it to perform the tasks for which the data subject has given consent.
  4. Accuracy: It's imperative for organizations to maintain and update data to ensure its accuracy.
  5. Storage Limitation: Personal data should be retained only for the duration necessary for its intended use. Once its purpose is fulfilled, the data should be promptly deleted.
  6. Integrity and Confidentiality: Data should be processed in a manner that safeguards its security, integrity, and privacy, such as by using encryption during data transfers.
  7. Accountability: Organizations bear the responsibility of proving their compliance with GDPR. This entails maintaining comprehensive records of data activities, ensuring staff are adequately trained in data protection practices, and establishing data processing agreements with any third-party vendors handling data on their behalf.

By adhering to these principles, organizations can ensure they process personal data responsibly and in line with GDPR requirements.

What is considered personal data in the life sciences context ?

In the context of life sciences, personal data refers to any information that can be used to identify an individual directly or indirectly, especially when combined with other data. Given the nature of life sciences, which often involves clinical studies, research, and patient data, the definition of personal data can be quite expansive. Here's a breakdown of what might be considered personal data in this context:

  • Basic Identification Information: This includes names, addresses, phone numbers, and email addresses of patients, study participants, or any other individuals involved.
  • Health and Genetic Data:
  1. Medical histories, diagnoses, and treatment information.
  2. Results from laboratory tests and medical imaging.
  3. Genetic data, which can provide information about an individual's genes, their health risks, and potential responses to treatment.
  4. Biometric data, such as fingerprints or retina scans, which might be used for identification purposes in certain studies.
  • Clinical Trial Data: Information about individuals participating in clinical trials, including their responses to treatments, side effects experienced, and any other data collected during the trial.
  • Pharmacovigilance Data: Information related to the adverse effects of medicines or vaccines.
  • Lifestyle and Socioeconomic Data: This can include information about an individual's diet, exercise habits, occupation, and socioeconomic status, which can be relevant in epidemiological studies or when considering factors that might influence health outcomes.
  • Patient-Reported Outcomes: Feedback and data provided directly by patients about their health status, quality of life, or treatment experiences.
  • Digital and Device Data: Data generated from wearable devices, health apps, or any other digital tool that collects health or behavior-related information.
  • Research Data: Any data collected during research studies, even if not directly related to health, if it can be linked back to an individual.
  • Consent Forms: Documents in which individuals provide consent for treatments, participation in studies, or data collection, which contain personal identifiers.

It is important to understand that de identified data or also known as pseudonymized data under the GDPR are also known as personal data are also considered as personal data and thus are covered by the regulation.

What is the difference between a Data Controller and a Data Processor and how does this apply in the context of clinical trial?

  • Data Controller:

Definition: The Data Controller is the entity that determines the purposes and means of processing personal data. In other words, they decide why and how personal data should be processed.

In the Context of Clinical Trials: The sponsor of the clinical trial, which could be a pharmaceutical company, a biotech firm, or a research institution, typically acts as the Data Controller. They decide the purpose of the clinical trial, design the study, and determine what data needs to be collected from participants. Joint controllership can also come into ply in specific cases.

  • Data Processor:

Definition: The Data Processor is the entity that processes personal data on behalf of the Data Controller. They don't decide the 'why' and 'how' of data processing but instead carry out the actual processing based on the controller's instructions.

In the Context of Clinical Trials: Contract Research Organizations (CROs), laboratories, or data management companies often act as Data Processors. They handle specific tasks like data collection, data storage, or analysis as directed by the trial sponsor (Data Controller). For instance, a laboratory might analyze blood samples from trial participants and report the results back to the sponsor.

Implications in Clinical Trials:

Responsibilities and Liabilities: The Data Controller is primarily responsible for ensuring that the personal data processing complies with data protection regulations. However, the Data Processor also has specific responsibilities, especially under the GDPR, to ensure data is processed securely and in line with the controller's instructions.

Contracts and Agreements: In clinical trials, there should be clear contracts or agreements between the Data Controller (e.g., pharmaceutical company) and the Data Processor (e.g., CRO). These contracts delineate responsibilities, ensure data protection measures are in place, and establish protocols in case of data breaches.

Consent and Rights of Participants: The Data Controller is typically responsible for obtaining informed consent from trial participants. This consent should clearly state how their data will be used, stored, and shared. Participants also have the right to access their data, request corrections, or even ask for their data to be deleted, and the Data Controller must facilitate these rights.

How can a life sciences organization manage data transfers in accordance with the GDPR?

Navigating data transfers under the GDPR is crucial for life sciences companies, given the sensitive nature of the data they handle and the global nature of research and clinical trials. Here's a guide for life sciences companies to manage data transfers in compliance with the GDPR:

  1. Understand the Data Flow:
  2. Map out where and how personal data is collected, processed, stored, and transferred. This will help in identifying where cross-border data transfers occur and the nature of the data being transferred.
  3. Determine the Legal Basis for Data Transfer:
  4. Life sciences companies must have a valid legal basis for transferring personal data. This could be based on informed consent, the performance of a contract, or a legitimate interest.
  5. Adequacy Decisions:
  6. The European Commission can recognize non-EU countries as providing an "adequate" level of data protection. If transferring data to a country with an adequacy decision, no further safeguards are required. Check if the destination country has such a decision in place.
  7. Standard Contractual Clauses (SCCs):
  8. In the absence of an adequacy decision, SCCs can be used. These are pre-approved contracts by the European Commission that provide protective clauses for personal data transferred outside the EU.
  9. Binding Corporate Rules (BCRs):
  10. For multinational life sciences companies, BCRs can be a mechanism to transfer data within the corporate group. BCRs are internal rules that ensure a consistent level of data protection across global entities.
  11. Data Protection Impact Assessments (DPIAs):
  12. For high-risk data transfers, especially those involving sensitive health data, conduct a DPIA to assess and mitigate potential risks.
  13. Vendor Management:
  14. Ensure that third-party vendors, such as Contract Research Organizations (CROs) or data storage providers, comply with GDPR requirements for data transfers. This is typically achieved through Data Processing Agreements (DPAs) that outline responsibilities and requirements.
  15. Stay Updated on Local Regulations:
  16. While the GDPR provides a framework, individual countries may have additional regulations or interpretations related to data transfers. Stay informed about local laws in countries where data is being transferred to or from.
  17. Implement Strong Cybersecurity Measures:
  18. Given the sensitive nature of data in life sciences, ensure that data transfers are secure. Use encryption, pseudonymization, and other security measures to protect data during transit.
  19. Regularly Review and Update Data Transfer Mechanisms:

Given the evolving nature of data protection regulations and legal challenges (e.g., the invalidation of the EU-US Privacy Shield - ew data privacy framework , regularly review and update data transfer mechanisms to ensure compliance.

What are the essential documents a life sciences company needs to have in place to ensure GDPR compliance?

To comply with the General Data Protection Regulation (GDPR), companies need to create, maintain, and regularly update a range of documents that demonstrate their commitment to data protection. These documents not only ensure compliance but also serve as evidence that the company is actively managing and protecting personal data in line with the regulation. Here are the main documents that companies typically need to implement:

  1. Data Protection Policy: This is a comprehensive document that outlines how the company collects, processes, stores, and deletes personal data. It should cover the principles of data protection and provide a clear framework for staff and stakeholders.
  2. Privacy Notice: This is a public-facing document that informs data subjects (e.g., customers, employees) about how their data is being used, the legal basis for processing, their rights, and how they can exercise those rights.
  3. Data Processing Agreements (DPAs): If a company uses third-party vendors or data processors, it needs to have formal agreements in place that outline the responsibilities and requirements for data processing in line with GDPR.
  4. Data Protection Impact Assessments (DPIAs): For high-risk data processing activities, companies need to conduct DPIAs to identify and mitigate potential data protection risks.
  5. Record of Processing Activities: This is an internal document that lists all data processing activities within the company, detailing the purpose of the processing, data categories, data recipients, and data retention periods.
  6. Data Breach Notification Protocol: This document outlines the steps the company will take in the event of a data breach, including how to identify, report, and manage breaches.
  7. Data Subject Access Request (DSAR) Procedure: This outlines the process for handling requests from data subjects exercising their rights, such as access, rectification, erasure, and data portability.
  8. Data Retention Policy: This document specifies how long personal data will be stored and the criteria used to determine retention periods.
  9. Consent Forms: If a company relies on consent as a legal basis for processing, it needs to have clear and compliant consent forms that can be easily withdrawn by data subjects.
  10. Training Materials: To ensure that all employees understand their responsibilities under the GDPR, companies should have training materials and regular training sessions on data protection.
  11. Appointment of a Data Protection Officer (DPO): If required (e.g., for public authorities or companies processing large amounts of sensitive data), the appointment and details of the DPO should be documented.

Seamus Larroque

CDPO / CPIM / ISO 27005 Certified