Q:Why is privacy such a hot topic?
A: Privacy and data protection regulations are popping up all over the world. And while they are less stringent in the US, other countries see data privacy as a fundamental right, in that people should have control over what data companies hold and what happens to that data. GDPR and other international data protection laws apply to businesses outside the EU/UK doing business within, so as companies within the US expand their business to the EU/UK, they become subject
to these laws and all the requirements that come with them.
Q:Is privacy in all EU countries the same under GDPR?
To some extent, yes, but it’s good to review the laws of each country you’re operating in.
Additionally, post-Brexit, the UK has its own set of requirements such as its own Standard
Contractual Clauses (SCCs). Some EU countries also have their own data protection language
that must be standardized in the ICF.
Q: For clinical trials, we provide an informed consent form (ICF). Isn't that sufficient?
No. And this one bears repeating. No. IRBs are not responsible for ensuring that your ICF has proper data protection language in it, and many IRBs are still learning data protection.
Ultimately the controller (i.e., the sponsor) is responsible for data protection, and ensuring that the elements have been met, which include providing data subjects with proper “notice.” IRBs are not responsible for ensuring that your ICF complies with local data protection regulations, such as informing about data transfer mechanisms, data subject rights, DPO identification, etc.
While the ICF is a good place to put required data protection language for data subjects, it’s still the controller’s responsibility to ensure all the regulatory elements are included.
Q:Is privacy different in the pharmaceutical industry?
Pharma is a very unique industry with many moving parts and never-ending acronyms. Even
though privacy rules are the same for the pharmaceutical/device/biotech industry, how the data is collected, used, and the regulations governing it are all very nuanced as well. Privacy itself is a
difficult topic, as is how we get drugs and devices to market, so having a privacy expert that understands your industry makes privacy initiatives run much more smoothly and efficiently.
Q:What do I need to consider when thinking about privacy?
When thinking about privacy, you should be thinking about (1) where is my data going and (2) what types of data will I be collecting? Oftentimes, companies get so focused on “data subjects” being “clinical trial subjects” or patients that they forget they’re collecting personal data from others as well including monitors, investigator site staff, physicians, and caregivers. It’s not
possible to have a GDPR compliance program without understanding your data, as accountability is one of the key tenants of GDPR and other data protection regulations.
Q:Our clinical research is pseudonymized; we don't collect names. We don't need to worry about
GDPR and other privacy laws, right?
This is one of the most common misconceptions about data protection. GDPR and most other
international data privacy laws consider pseudonymized data to be identifiable even if you don’t have access to the code to re-identify it. For example, if you’re running a clinical trial in the UK, and you don’t have access to the list that states subject 100-001 is Jane Doe, as long as that list exists somewhere (e.g., at the trial site), anyone handling that data (e.g., sponsor, labs, CRO, etc.) has to treat that data like they would if it was attached to a name. Some countries, like Australia, do not take this approach, but most countries with data protection laws do.
Q:What are data transfers?
Data transfers occur after data has been originally collected. It’s when that data is then
transferred to another location, system, or platform. For a systems example, if data is collected
from an investigator site in an EDC system, and then it’s transferred or stored as final data in the
eTMF, that is a data transfer. For a locations example, if an investigator site collects data about a subject at their site for an SAE, and then completes a form documenting this information and sends it to the PV/safety vendor, then that’s also a data transfer.
Data transfers are heavily regulated and are some of the most common newsworthy fines. In
order to transfer data from the EU/UK (or another country with similar laws and regulations) to another country, either the country must have “adequacy” or an approved mechanism of transfer must be in place in order for the transfer to be legal. The US does not have adequacy status for GDPR transfers and therefore an approved mechanism must be in place. Most commonly, the mechanism used is Standard Contractual Clauses (SCCs) which are a complex document with nuances about importers and exporters and the technical and organizational measures in place to protect the data once it leaves the country.
Q:My company is in the US - do I have to comply with GDPR and other laws?
The territorial scope of the GDPR includes not only companies operating out of the EU/UK, but
also those who are collecting personal data from individuals in the EU/UK, even if the processing
occurs in the US. Therefore, if you’re conducting any types of activities in another country
where you’re collecting personal data, you’re likely subject to that country’s data privacy and
data protection laws and regulations.
Q:When should we establish
a GDPR compliance program?