One year has now passed on the compliance journey, and as year 2 begins, here are some items for the life sciences and health care industry’s to-do list:
1. If your compliance program isn’t working, fix it
Life sciences and health care companies may be in a better place than unregulated companies since there is already a compliance infrastructure, but this sector was probably as much affected by the rush to prepare for the EU General Data Protection Regulation (GDPR) as others. Different departments, divisions, product lines or even regions may have had responsibility for helping to deliver the project and this first year has probably resulted in lessons being learned as GDPR compliance has been operationalized. Year 2 provides:
- An opportunity to prioritize various functions, such as clinical trials and consent, obligations in relation to post-market surveillance requirements, and the interaction with the GDPR
- An opportunity to benchmark against long-awaited guidance from the European Data Protection Board and various supervisory authority decisions, as well as time to reflect on what works and what can be improved
- An opportunity for life sciences and health care companies to focus on governance and their roles as controllers and processors for the different products and services offered
- An opportunity to focus on the real risks and focus on risks in the next steps along the compliance journey
2. Consent: children, users, clinics and HCPs
Breaking down the types of consent required and when it is appropriate to obtain consent can be difficult. Certainly the guidance on the interplay between the EU Clinical Trials Regulation and the GDPR was helpful, but as yet there is no guidance on the requirements related to post-market surveillance or on the EU Medical Devices Regulation and EU Intro Vitro Diagnostic Medical Devices Regulation, particularly whether certain analytics requirements under these regulations results in the processing of personal data whether consent would be required. Nor is there guidance about children’s consent in relation to clinical trials and whether extra steps are required. Where life sciences and health care companies offer digital services, the most recent draft of the Information Commission Office’s children’s code of practice may prove helpful in terms of age-appropriate privacy-by-design considerations, but where products have been on the market for some time, such as patient monitoring and management tools, companies may have to take these considerations into account in their next updates.
For clinics and health care professionals (HCPs) the line between consent and provision of a product subject to contract is also not always clear, especially when an HCP or small clinic is considered a sole trader and has the same rights as consumers and users/patients. Determining where consent is appropriate may be worth revisiting in year 2, particularly bearing in mind that consent may not be the easy or most appropriate legal basis for processing data.
3. Data protection impact assessments (DPIAs)
These risk assessments remain a useful tool, but after a year of trying to determine when they should be used and whether they accurately reflect the risks, it may be that year 2 should focus on refining the process. For life sciences and health care companies, almost every form of processing of patient data will require a DPIA, especially in relation to any digital service offering, such as patient monitoring and management. In addition, the public tender process and obligation to provide information on risks to controllers may require a rethink about how to provide such information to controllers to whom this sector provides services.
4. Scientific research
While processing personal data for scientific research or statistical purposes continues to be granted a greater degree of flexibility, the GDPR expressly requires organizations to put in place appropriate safeguards when relying on this “research exemption.” As companies conduct research into new MedTech and digital health, data lakes become more prevalent. The rights and freedoms of data subjects must always be weighed while building in the concept of data minimization, pseudonymization and other security safeguards, such as restricted access when conducting research that goes beyond a clinical trial. Wherever possible, the research should be conducted using data that does not identify the individual.
5. Keep up staff training on security and record it
Training, training and more training! To embed the GDPR into an organization, training cannot be a one-off, and if organizations processing patient data or exposed to patients in the field are going to support medical devices or even conduct clinical trial audits, it is important to carry out regular training and to refresh training with any lessons learned since the GDPR came into force last year. An educated workforce is an essential tool in an organization’s compliance toolkit, and evidencing that training may also demonstrate actions taken that help to mitigate any damage suffered, should that be needed if a supervisory authority comes knocking.