1. We don’t collect personal data.
Every business collects personal data, but international regulations define personal data much more broadly than US regulations, such as HIPAA. Personal data is any data that relates to a person (usually living but it depends on the country regulation). That not
only includes a name and other demographic or contact information, but also
information such as email contents, IP addresses, performance reviews, photographs,
survey results, computer analytics, and their images on CCTV in your office.
You also collect personal data from several sources. Here are just a few:
Employees
Contracts
Vendor employees
Physicians
Physicians’ staff members
Clinical trial subjects (even if you don’t have access to their name – see #4 below)
Ad board participants
Patient advocates.
2. We’re not operating in the EU, so GDPR does not apply to us.
Are you sure? You may not have a physical office in the EU but that does not mean that
you’re not operating in the EU as far as the EU is concerned. Here are some ways you
may be operating in the EU that you don’t realize still expose you to data protection
requirements:
You’re running clinical trials in the EU (even if you have a CRO).
Your drugs are marketed in the EU.
You use vendors in the EU (such as manufacturers).
You have employees who live in the EU (even if you don’t have an office there).
You’re working to branch out into the EU (e.g., you’re a CRO or vendor trying to get EU clients/work).
3. We’re sure we’re not operating in the EU, so we’re set from a data privacy/protection standpoint.
You may not be operating in the EU or UK, but you may be operating in countries with
data protection laws and regulations. The US has the California Consumer Privacy Act
(CCPA, soon to be replaced with a more GDPR-aligned CPRA) which affects businesses
with employees or customers in California. Other countries such as Canada, Australia, and South Africa also have their own unique data protection laws and regulations that
you may need to consider.
4. Our data is pseudonymized/coded, so we don’t collect personal information in clinical trials.
Not so fast. GDPR and most other international data privacy laws consider
pseudonymized data to be identifiable even if you don’t have access to the code to re-
identify it. For example, if you’re running a clinical trial in the UK, and you don’t have
access to the list that states subject 100-001 is Jane Doe, as long as that list exists
somewhere (e.g., at the trial site), anyone handling that data (e.g., sponsor, labs, CRO,
etc.) has to treat that data like they would if it was attached to a name. Some countries,
like Australia, do not take this approach, but most countries with data protection laws
do.
5. We’re a non-profit, so privacy regulations don’t apply to us.
Some US data protection regulations, like the CCPA, do not apply to non-profits, but
GDPR and other international data protection regulations generally do. While there are
some exceptions for work in the public interest, most regulations still apply to non-
profits.
6. We have a CRO in the EU (or another applicable country), so we leave data protection
to them to handle.
The answer to data privacy is never, “we let the CRO or vendor handle it.” This is so
important I’m going to say it again. The answer to data privacy is never, “we let the CRO
or vendor handle it.” While this may be confusing since we’re used to working in an
industry where we can transfer responsibilities to CROs and other vendors, data privacy
does not work like this. You, the sponsor/pharmaceutical company/controller, are
always primarily responsible for data protection. While you can put language in the
contract to require vendors and CROs to comply with data protection regulations, you
are ultimately responsible for ensuring that data is protected for which you’re the
controller.
Disclaimer: The information provided by this website is business information and not legal advice. Interactions with this website or its owners do not establish an attorney-client relationship.
Comentários