In May 2018, the General Data Protection Regulation (GDPR) entered into effect in EU member states, replacing a longstanding and less rigorous data and e-privacy directive. Not only does the GDPR provide a uniform set of rules for data processing throughout the EU, it also heralds a change in the way data privacy is handled, says Elisabethann Wright, a Hogan Lovells partner in Brussels.
But the new requirements established by the regulation may substantially change the way life sciences companies collect and process personal health data and communicate with data subjects. In this hoganlovells.com interview, Wright details many of those changes, including stricter obligations for data controllers and processors, broader rights for data subjects, and the role of data protection authorities. She also suggests strategies to help life sciences firms stay compliant.
Why was the GDPR enacted?
Wright: It was enacted because, quite candidly, the existing legislation that had been in force since 1995 was not a huge success. It was somewhat general in nature, and the undertakings and obligations that it required did not necessarily permeate down into practice.
So on the 25th of May 2018, the GDPR entered into force in the EU. One aspect that’s important about the regulation is that it is a regulation. That means that, in principle — and I have to underline that it is in principle — all of the member states of the EU should apply the regulation and interpret it in the same way. There will invariably be changes, interpretations, and questions from the individual member states, but we hope to have a more consistent approach to data protection in the future than we sometimes have now.
How are the GDPR’s data privacy rules relevant to the life sciences industry?
Wright: Data collection and processing is the very nature of digital health. For it to function, it needs to collect and process the personal data of patients. Collection of personal data on physicians, vendors, and processors falls within the scope of the GDPR.
The definition of personal data is very broad. It essentially means any information that permits the direct or indirect identification of an individual. This can include your name, an identification number, location name, an online identifier, or various factors that permit the identification of the individual.
So, it is easy: if you are collecting any of that data, you will very possibly find yourself within the scope of the directive. And if after collecting the data, you are then processing any of that data as part of your digital health presentations, again, you’re going to find yourself within the scope of the GDPR.
Processing that will be affected by the GDPR is any operation or set of operations — and I have to underline “any,” as it really is very easy to get within the scope of the GDPR — that is performed on personal data or sets of personal data, whether or not it’s automated. The GDPR applies to processing that is wholly or partly automated and to nonautomated processing that forms part of a filing system. Again, the Regulation has a much broader scope than had the directive.
There are, of course, certain exceptions and activities that fall outside the scope of the GDPR, such as personal activity of an individual. If you are making your own shopping list, you are not going to fall within the scope of the regulation. Neither will certain activities by the authorities, particularly relating to the criminal investigation system.
What are the GDPR rules for collecting personal health data?
Wright: As a general principle, the GDPR prohibits the processing of certain types of personal data, including personal health data. This means that, as a first step, if you want to collect the data as part of your digital health offering and you are going to process it, you first need to find a route to collect that data.
Essentially the way that you need to collect that data is through the explicit consent of the patient. You need to tell the patient that you are going to collect that data; what you are going to do with the data; who is going to have access to it; what is going to happen to it; how long it will be stored; and what will happen to it at the end of the processing activities. All of those aspects will need to be built into your digital health offering if it permits the collection of personal health data of a patient.
How have the rights of the patient changed under this regulation?
Wright: This is probably the most important question. If you are collecting personal data of patients — or indeed, of anyone — and you are processing that data, you are falling within the GDPR and this provides patients with certain rights. This is one of the major changes that the GDPR brings, and it is a welcome change. Because until now, the directive, and the implementing national legislation of the individual EU Member States have had this very cryptic, abstruse provision that said individuals have the right to access and seek modification of their personal data held by an entity as permitted by the national law. That was such an unwieldy provision that it was really quite rarely used.
But now, as I mentioned, if you are collecting the data of a data subject, you need to tell them that you are collecting it. They must have access to that data; they must be entitled to correct the data; they must be entitled to have it erased; they must in certain circumstances be able to restrict processing; they must be given the right to take their data away and bring it to another third party — this could have implications if you’re conducting a study on your device — and they must not be subject to a decision based on automated processing.
The important point here is that, if you are going to collect data of patients, all of those provisions must be included in any informed consent that you craft for the patient. The patient has the right to know what data has been collected and what is going to happen to it.
What are the obligations of a life sciences company in those circumstances?
Wright: Your obligation is that you must demonstrate that the data collection you are doing is lawful, fair, and transparent. You must limit collection to only the purpose for which you need it. This is privacy by design: you can only collect what you need to collect, you can only use it for the purposes that you need to use it, and you can only keep it for as long as you need to keep it.
Who is the data controller in this scenario?
Wright: In your digital health presentation, if you determine the purposes and means of processing, or if you determine what data is being collected with your device, you are the controller.
If you are an entity that processes data on behalf of the controller — if, for example, you collect data related to the vital statistics of the patient and someone else manipulates, or processes the data and comes to a diagnosis — they are the data processor.
To summarize, the seven lawful principles of data protection are lawfulness; limitations; data minimization; accuracy, which is really important; storage limitation; integrity; and confidentiality.
How does the GDPR address cybersecurity?
Wright: You need to be able to establish a process within your facility, in your processing, to ensure protection against security breaches. We have already seen in our own experience that the member states are taking a very, strict approach to this. If there is any possibility that your software is open to vulnerabilities, they can require that you communicate with users and develop a patch to resolve this vulnerability. They really are strict. This is an essential principle of the EU in action.
If you are sharing data with a data processor, you are obliged — as is the data processor — to follow certain strict rules. You must consider establishing a data transfer agreement and a data processing agreement so that both parties know exactly what is expected, and each party has the necessary protection and encryption and procedures in place to ensure protection of the patient and, indeed, anyone else, and the reliability and responsibility of each of the parties.
Can companies use the data they’ve collected for secondary purposes?
Wright: Again, as I mentioned, privacy by design and default: that is, you collect only the data that you need to collect. Now this gives rise to a whole discussion about secondary processing. This is still — as it has always been in the EU — a very obscure area. It is unclear whether GDPR either expands or limits this; there is still a great deal of discussion about that.
In the event of a data breach, what does the GDPR say about notifications?
Wright: EU regulation govering a data breach is something that is relatively new. If a data breach occurs, you must notify a supervisory authority within 72 hours, unless the breach is unlikely to result in risk. This is the opposite of quite a lot of adverse event reporting. Instead of saying, we are only going to report if we think there is a risk, under the GDPR you need not report only if you can document that the data breach is unlikely to present a risk. This is different and it demonstrates the strict approach of the GDPR.
Do you need to communicate with the patient if there is a data breach? According to the GDPR, if a breach is likely to result in a high risk to the rights and freedoms of natural persons, you need to notify them. You need to document reporting prcedures, and you need to set up your policies, train to those policies, and enforce those policies.