The EU's General Data Protection Regulation (GDPR) came into effect on 25 May 2018. It overhauled EU data protection law, bringing in enhanced rights for individuals and new obligations on data controllers and processors, as well as significant penalties for non-compliance. The GDPR should always be read in conjunction with relevant local Member State law – in the UK, with the Data Protection Act 2018 (DPA18) – and data being processed for life sciences may also have to comply with provisions under the Clinical Trial Regulation and applicable pharmacovigilance legislation.
GDPR compliance is an ongoing issue, not a tick-box exercise. You not only have to do the right thing, you have to be able to demonstrate you are complying. As the UK's regulator, the ICO has said repeatedly, the GDPR largely takes a 'risk-based approach'. Clearly legislation cannot cover all situations so organisations are often required to make their own assessment as to the right approach on a case by case basis using regulator guidance where available.
There are a number of aspects of the GDPR which are particularly challenging for life sciences businesses. They often rely on processing personal data, and, in particular, sensitive or special personal data, whether for research, clinical trials, pharmacovigilance, or to programme machine learning in the operation of medical devices.
The GDPR applies not only to EU organisations but also to non-EU organisations offering goods or services to data subjects in the EU or monitoring their behaviour to the extent that the behaviour takes place in the EU. Multi-nationals cannot afford to ignore it, even if their head offices are outside the EU.
One of the great benefits of the GDPR for multi-nationals with establishments in more than one EU Member State or processing the personal data of individuals from different Member States, is that, provided they are able to identify a main establishment with responsibility for decisions relating to the processing of personal data in in the EU, they can appoint a lead EU regulator in respect to that processing and take advantage of the 'one stop shop' regulatory mechanism, rather than having to deal with a number of regulators across the EU.
Enforcing the GDPR against a business without an EU presence is a challenge for regulators. The GDPR attempts to deal with this by introducing a requirement for non-EU organisations caught by the GDPR, to appoint a representative to act as a conduit between the non-EU controller or processor and relevant EU regulators and data subjects.
While UK organisations have not had to think too hard about representatives to date, Brexit is likely to change this. UK businesses which have no other establishment in the EU but which are within the GDPR's territorial scope will need to appoint a representative at the end of the transition period (unless and until alternative arrangements are agreed).
Similarly, the UK government intends that after the UK exits the EU (excluding during any transition period), the UK version of the GDPR will require that a controller or processor located outside the UK, but caught by the UK GDPR, will be required to appoint a UK representative.
What is personal data?
What constitutes personal data is widely defined and covers any information relating to an identified or identifiable natural person. This is anyone who can be identified directly or indirectly and includes pseudonymised data. Pseudonmyised data is data which can only be attributed to an individual when combined with additional information where that information is kept separately and is subject to technical and organisational measures which protect the individual from being re-identified, for example, a unique ID for a trial participant. This is an important distinction for life sciences businesses. They may be able to do more with their personal data by pseundonymising it, not least comply with security requirements, but it remains personal data. It is only by completely anonymising personal data in such a way that it cannot be re-identified from other information, that data falls out of the scope of the GDPR.
Special or sensitive personal data accounts for the majority of personal data processed in a life sciences context and this kind of personal data attracts additional protections (see below). Special categories of data likely to be processed include genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, religion, ethnic background or data concerning a natural person's sex life or sexual orientation.
Who is responsible for the processing?
The primary responsibilities for processing personal data lie with the data controller – the entity which alone or with others determines the purposes and means of the processing. In the context of a research study, for example, the sponsor will be the one who decides what data is collected for the study and will be acting as a controller in relation to the research data.
The GDPR also introduces direct obligations on data processors – those processing personal data on behalf of the controller - for the first time. Clinical or contract research organisations are often data processors, for example. Obligations on processors include keeping data processing records, ensuring privacy by design and default, security obligations and reporting requirements. Data controllers are required to have written agreements with their data processors which need to cover stipulated elements.
In some cases there will be more than one data controller with regard to a data set and they may become joint controllers where they jointly determine the purpose and means of processing. This can be (but is not always) the case with the sponsor of a clinical trial and the trial centre. The sponsor may draw up the protocol, produce guidelines and verify compliance, while the trial centre will conduct the trial and deal with providing patients with information and getting their consent. If both the sponsor and the trial centre will be making decisions about the data processing relating to the trial, they will be joint controllers.
It is also possible for two parties to be controllers in common. If this is the case, having a protocol for managing the transfer of personal data between them is crucial and giving clear and proper information to data subjects about the data processing activities of each party will be important but often difficult. It should always be clear, both to the parties and to data subjects, what each controller of data is doing with it and for what purpose.
Data protection principles
The data protection principles are at the heart of the GDPR. If you do your best to comply with them then you are half way there although the risk of non-compliance with the remaining half must also be tackled so you can't rest on your laurels. Personal data must be processed fairly and lawfully and part of that requirement is providing individuals with set information as to what is happening to their data throughout its processing journey, including when it is transferred to other controllers or processors.
Data has to be collected for specified, explicit and legitimate purposes and must not be processed for further purposes incompatible with the original purpose. A potentially useful exemption for life sciences companies is provided here under Article 89(1) (all references to legislation are to the GDPR unless otherwise specified), which says that further processing for scientific or statistical purposes will not be considered as incompatible with the original purpose where it is used to help ensure that appropriate safeguards are in place to protect the rights and freedoms of individuals. These include organisational and technical measures to help ensure data minimisation – again including pseudonymisation.
Data has to be limited to what is necessary for the purposes for which it is processed and must be kept accurate and up to date. It must be kept for no longer than is necessary and be kept appropriately secure against unlawful processing, accidental loss, destruction or damage.
Crucially, it is not enough to comply; you have to be able to demonstrate compliance in accordance with the accountability principle in Article 5(2). The accountability principle is a driver for many of the processes and policies which data controllers and data processors need to develop and follow in order to be GDPR-compliant. In particular, a record of processing activities must be kept by the data controller or their appointed representative.
In order to comply with the principle that personal data be processed fairly and lawfully, each processing operation must be carried out under one of the lawful bases for processing in Article 6(1). The data controller needs to select the most appropriate one. It cannot select a handful and hope that one sticks although it can use different lawful bases for different processing operations. This is a different approach to the one under the previous EU Data Protection Directive, where it was quite common for multiple justifications to be selected.
There are a number of lawful bases which may apply to data processing connected with life sciences organisations but they are not altogether straightforward and data controllers need to consider which to use very carefully. The UK regulator, the ICO, has an interactive guidance tool on its website which may assist. The European Data Protection Board has also published Opinion on clinical trials which includes a discussion of appropriate lawful bases for processing personal data in clinical trials.
Consent: Data can be processed lawfully on the basis that the data subject has given their consent to the processing. Under the GDPR, however, this is a higher standard than under previous EU data protection legislation. Consent must be "freely given, specific, informed and an unambiguous indication of the data subject's wishes". In particular, it cannot be freely given if there is an imbalance of power in the relationship between the data subject and the controller and, crucially, the data subject must be able to withdraw it at any time without suffering detriment. In the case of sensitive personal data, consent must also be explicit and, where children are involved, there may be other considerations which will make consent more difficult to obtain.
In the context of life sciences, consent may be difficult to achieve and may not be the most helpful lawful basis on which to rely. If a data subject withdraws consent to processing as part of a clinical trial, for example, it could have a major impact on the study. The ICO's guidance on consent states that "In the healthcare context, consent is often not the appropriate lawful basis under the GDPR…Instead, healthcare providers should identify another lawful basis (such as vital interests, public task or legitimate interests). For the stricter rules on special category data, Article 9(2) specifically legitimises processing for health or social care purposes".
The NHS Health Research Authority makes clear that "for the purposes of the GDPR, the legal basis for health and social care research should not be consent" and that for commercial companies the processing of personal data for research should be carried out within legitimate interests.
While consent has to be specific so that the data subject must consent to each processing operation, Recital 33 GDPR (which is non-binding), recognises that it may not be possible to identify all the purposes for processing personal data for scientific research at the time of collection so data subjects can be asked to consent to areas of research. Each area or aspect being consented to must be individually set out.
It is important to bear in mind that consent to data processing is not the same as the informed consent required to participate in a clinical trial that is required under the Clinical Trial Regulation. Care should be taken to avoid confusing the two and it must be clear to the data subject exactly what their consent covers in each case.
Legitimate interests: Under previous EU data protection law, relying on the basis that data processing was in the legitimate interests of the data controller was frequently (if often incorrectly) used as a 'sweep up' general justification. Under the GDPR, the position has changed. In the first place, the processing must be necessary for the purposes of the identified legitimate interests. For an organisation to rely on the legitimate interests lawful basis, it then has to be able to demonstrate that its interests or those of a third party (which can include society as a whole) are not overridden by the interests of fundamental rights and freedoms of the data subject which require the protection of personal data, in particular, where the data subject is a child.
ICO guidance on legitimate interests recommends carrying out a three stage test:
- identify the legitimate interest
- show the processing is necessary to achieve it
- balance it against the individual's rights and freedoms.
A record of any legitimate interests assessment must be kept in order to comply with the accountability principle.
The ICO says that while legitimate interests is the most flexible lawful basis, it should not be used if personal data is being used in a way in which people would not understand or reasonably expect or to which they would object if it were explained to them. The more trivial the interest, the less likely you are to be able to rely on it but the more intrusive the processing, the more likely it is that your legitimate interests will be overridden by the rights and freedoms of individuals. You also need to explain the legitimate interests to the data subjects.
Consent and legitimate interests attract the most attention as lawful bases, perhaps because they were seen as the easiest options under the old legislation. There are, however, a number of other possibilities:
- Processing is necessary for performance of a contract to which the data subject is party.
- Processing is necessary for compliance with a legal obligation to which the controller is subject – this could well be relevant to life sciences businesses which have to comply with medical devices and other product safety regulations and is mentioned in the EDPB Opinion as a lawful basis which will often be appropriate in clinical trials.
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Processing is necessary to protect the vital interests of the data subject or other natural person.
Conditions for processing special or sensitive personal data
Life sciences organisations, for example, those carrying out clinical trials or pharmacovigilance, often process large amounts of special data. Not only is a general lawful basis under Article 6 required to process special data, there is a blanket prohibition on processing this kind of personal data unless one of the conditions in Article 9(2) applies. A number of these conditions may apply to special data processed in the context of life sciences:
Consent: In addition to the normal requirements for obtaining valid GDPR consent, in the case of processing sensitive personal data, consent has to be explicit, making it slightly more difficult to obtain.
Vital interests of the data subject: Where the processing is necessary to protect the vital interests of the data subject who is physically or legally incapable of giving consent.
Public interest: Where processing is necessary for reasons of substantial public interest on the basis of Union or Member State law which shall be proportionate to the aim pursued and subject to safeguards to protect the individual.
Medical or healthcare: Processing is necessary for the purposes of preventative or occupational medicine…medical diagnosis, the provision of health or social care or the treatment or the management of health or social care systems or services (subject to various conditions and safeguards).
Public health: Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medical products or medical devices. There is also a requirement to provide for suitable measures to safeguard the rights and freedoms of the data subject.
Scientific research: Where processing is necessary for scientific research or statistical purposes, provided it is proportionate to the aim pursued and respects the essence of the right to data protection and specific measures to protect the rights of individuals are taken. The DPA18 suggests that this only applies where there is also a public interest element and the Article 89 requirements are met (see below).
Data protection by design and default
Under Article 25 GDPR, data protection by design and default is hardwired into compliance. What exactly does that mean? Essentially, that data protection has to be considered at the earliest stages of a project and built in from the start.
The GDPR allows for a balancing exercise – the state of the art and costs of implementation, against the risks to the rights of individuals associated with the processing. Having made this assessment, the data controller then needs to implement appropriate technical and organisational measures. Here again is this vague term which appears repeatedly in the GDPR. In this case, at least, some examples are given; pseudonymisation and data minimisation are both seen as "effective" in this context and will be important safeguards in the context of health and social care research.
The controller is also required to put appropriate technical and organisational measures in place to ensure that, by default, only data necessary for each specific processing operation is processed in relation to it. This covers the extent of processing, the retention period, and the accessibility of the data. This aspect of compliance may be particularly challenging for life sciences companies where the need to quickly capture and communicate data about adverse incidents is as crucial as the need to prioritise privacy. Extra effort may be needed to meet both goals without compromising on either.
Certification mechanisms may be introduced in future to help organisations demonstrate their compliance with data protection by design and default but at the moment, it remains something of an inexact science involving judgment calls.
Data Protection Impact Assessments (DPIAs) are not a new concept and data protection regulators have been recommending them for years, but under the GDPR, they are mandatory in certain situations. To a degree, there is also an element of self-assessment here. Article 35 says that DPIAs have to be carried out when a type of processing (particularly one using new technologies) is likely to result in a high risk to the rights and freedoms of individuals. A DPIA is specifically required where:
- Automated processing, including profiling on which decisions are based which have legal or similarly significant effect on the individual is involved.
- There is processing on a large scale of special categories of data (sensitive data).
- There is systematic monitoring of a publicly accessible area on a large scale.
When determining whether processing is likely to result in high risk, European data protection guidelines that define different types of likely high risk processing operations should be considered. One such example provided includes storage for archiving purposes of pseudonymised sensitive data concerning vulnerable data subjects of research or clinical trials.
In addition, each Member State regulator has to produce its own list of the kinds of processing operations which trigger mandatory DPIAs (which means there are different requirements in different Member States). The ICO's list includes processing operations relating to:
- Innovative technology including AI, wearables, and some IoT applications.
- Large scale profiling including application of AI to existing process.
- Biometric data (when combined with any other criterion from the WP28rev01).
- Genetic data including for medical diagnosis, DNA testing and medical research (when combined with any other criterion from WP248rev01).
- Risk of physical harm – where a data breach might jeopardise the physical health or safety of individuals (including social care records).
In compliance with the accountability principle, the decision about whether or not to carry out a DPIA needs to be documented. If you have a Data Protection Officer (DPO – see below), they should be involved in the preliminary assessment and any subsequent DPIA.
The purpose of the DPIA is to assess risks to individuals associated with planned processing operations. In other words, it must be carried out before the processing begins. There are set elements to the assessment and what it needs to cover. This includes envisaged steps to mitigate risk and demonstrate compliance. If, at the end of the process, the DPIA concludes that there is a high risk which cannot be mitigated, the ICO (or relevant data protection regulator) must be consulted. The planned processing cannot take place until the regulator has given the all clear – a process which should take eight weeks but can be extended for a further six if the planned processing operation is particularly complex.
Even where there is no requirement to carry out a DPIA, there are many areas where the ICO suggests it may be helpful to carry one out. Given that personal data used in life sciences projects can often be biometric, genetic or involve new technologies, the likelihood is that a DPIA will be required and should, at the least, be considered.
Clinical trials often involve the transfers of large amounts of personal data across borders, including to 'third countries', as a network of laboratories or healthcare providers and potentially the sponsor of the trial may all be in different jurisdictions.
Under the GDPR, personal data may not be transferred outside the EEA unless there are protections in place to guarantee individuals equivalent rights and protections to those they enjoy in the EU. Those countries which are considered to have a data protection regime which provides an adequate level of protection equivalent to that in the EU, may benefit from a Commission Adequacy Decision which allows the free flow of personal data from the EU. Currently, 12 jurisdictions (including the Channel Islands), have full Adequacy Decisions and Korea is currently being assessed. In addition, the US has a partial (and controversial) Adequacy Decision in relation to transfers under the EU-US Privacy Shield, although this does not cover key-coded research data.
In the absence of an Adequacy Decision, a number of other data transfer mechanisms can be used, principally, the EC's standard contractual clauses (SCCs), or Binding Corporate Rules (BCRs). There are also other limited options which may be available.
In the event of a no-deal Brexit at the end of transition or in the absence of a post-Brexit Adequacy Decision, the UK will become a third country for EEA data transfer purposes. The UK has already committed to preserving the free flow of data to the EEA and to countries with existing EU Adequacy Decisions and it has also negotiated agreements with all the countries benefitting from EU Adequacy Decisions (aside from Andorra), that data flows to the UK from them will be uninterrupted by Brexit. This leaves a potential problem in relation to data flows from the EEA to the UK. Organisations which are reliant on receiving this sort of personal data need to put mechanisms in place (most likely SCCs) to avoid interruption although it should be noted that SCCs are themselves currently the subject of an EU-level legal challenge.
In addition to GDPR considerations it may also be necessary in the context of cross border clinical trials to consider other separate local country legal or regulatory obligations relevant to the processing or third party hosting of health data (for example, the French Public Health Code).
One of the main obligations on controllers and processors is to keep personal data secure. The level of security has to be determined taking into account a number of factors, including the state of the art, cost, the proposes of processing and the risks to the individual, particularly in the event of unauthorised or accidental destruction, loss, alteration, disclosure of or access to the data.
In the event of a data breach there are obligations on controllers to notify the relevant supervisory authority without undue delay and not later than 72 hours after becoming aware of it unless the breach is unlikely to result in a high risk to the rights and freedoms of individuals. Affected data subjects also need to be informed without undue delay where there is a risk which cannot be mitigated unless that would create a disproportionate burden (in which case a group notification can be made).
Where processing of sensitive data is involved, there is going to be more risk in the event of a data breach. Controllers and processors need not only to have appropriate technology (including encryption, updates, backup etc.) but a suite of policies to cover all aspects of cybersecurity from information security to breach response plans. Staff need to be given appropriate training and there need to be clear reporting lines.
Data Protection Officers
A DPO is an independent person responsible for ensuring an organisation complies with GDPR. The DPO directs and oversees all data protection activities within a company, keeping management informed of data protection obligations, and is the primary point of contact for supervisory authorities.
Under Article 37(1), it is mandatory for a data controller or processor to appoint a DPO if one of the following applies (noting that Member States have scope to extend this requirement to other circumstances):
- it is a public authority or body
- its core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale, or
- its core activities consist of processing, on a large scale, sensitive data of the data subject and/or personal data relating to criminal convictions.
Given the frequent use of sensitive data in life sciences, this means many controllers and processors will be required to appoint a DPO and even if they aren't, they may want to do so voluntarily.
Data subject rights
The GDPR provides individuals with enhanced rights in relation to their data. Member States are able to derogate from some of these under Article 89 where data is processed for archiving purposes in the public interest, for scientific research or statistical purposes. This means research participants may be unable to rely on these rights to seek to access, correct or erase their data where derogations apply.
Right to information: Data controllers must provide data subjects with a range of mandatory information at the time the data is obtained to ensure their data processing is transparent. The type of information which must be supplied differs depending on whether or not the data is obtained directly from the data subject.
This means that information may need to be provided about personal data processing relevant to both a study site and to the study sponsor. Separate from GDPR requirements there may also be ethical regulatory obligations to provide general clarity to study participants about the use of their data even where such data ceases to be personal data. In each case, such information does not necessarily have to be provided as part of Study Participant Information Sheets (which may be an issue for studies that have been running prior to the entry into force of the GDPR).
Subject Access: The right of the data subject to request access to their personal data together with associated information, including obtaining a copy of it. This can be particularly challenging where the processing activities are highly confidential and providing copies of the data could risk the integrity of trade secrets or a patent prosecution process.
Rectification and restriction: The right to have inaccurate data corrected or incomplete data completed and to restrict processing under specified circumstances, mostly where the processing is the subject of some sort of dispute.
Right to erasure: Individuals can ask for their personal data to be deleted under certain specified circumstances. This includes where processing is based on consent. This is another reason why consent may not be the best lawful basis for processing in relation to clinical trials or pharmacovigilance. There are, however, exemptions to the right to erasure for reasons of public interest in the area of public health and for scientific or statistical purposes in accordance with Article 89(1) where exercising the right would render impossible or seriously impair the objectives of the processing.
Right to data portability: Where processing is based on consent or carried out for performance of a contract, or where it is automated, the individual has the right to receive the data and transfer it to another controller. The data must be provided in a structured, commonly used and machine-readable format. Again, there is an exemption for tasks carried out in the public interest and where the exercise of this right can adversely affect the rights and freedoms of others.
Automated decision making and profiling: Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which has legal or similarly significant effects. Where sensitive personal data is being used for the profiling, it is only permitted with the explicit consent of the individual or where the profiling is necessary for reasons of substantial public interest and safeguards are applied. Where machine learning is used in healthcare products, this right is likely to be engaged. It is also a potential issue in randomised trials where requiring specific consent might alert the individual to the fact they were part of a trial.
Right to object: The data subject has the right to object to processing where it is based on legitimate interests or where it is related to a task carried out in the public interest or on the exercise of official authority. If the data subject objects, the controller can only continue processing if it demonstrates compelling legitimate grounds which override the rights and freedoms of the data subject (or where it's related to legal claims).
If consent appears problematic as a lawful basis, then the fact that the right to object applies to processing carried out on the legitimate interests basis may sway controllers against relying on it as an alternative. However, there is a potential exemption where personal data is processed for scientific research or statistical purposes under Article 89(1).
Processing for archiving in the public interest, scientific research or statistical purposes
Article 89 GDPR
Article 89 covers safeguards and derogations relating to processing for archiving purposes in the public interest, scientific research purposes or statistical purposes (also historical research purposes). Life sciences businesses may find themselves subject to these safeguards but may also benefit from exemptions.
Under Article 89, all processing of personal data for scientific research or statistical purposes must be subject to appropriate safeguards, key to which are data minimisation, including by pseudonymisation. Where these purposes can be fulfilled by further processing which does not identify individuals (for example anonymisation), then they should be applied.
Article 89 is the also main source of exemptions and derogations from GDPR compliance for life sciences data. Member States or the EU itself may provide for derogations from a number of the data subject rights in relation to data processed for scientific research or statistical purposes. These are:
- Right of access (Article 15)
- Right to rectification (Article 16)
- Right to restriction (Article 18)
- Right to object to processing (Article 21)
Where data is processed for archiving purposes in the public interest, derogations may also be made from the right to notification and erasure, and the right to data portability. This means that the position will vary across Member States depending on which derogations are provided for under national law.
In the UK, the DPA18 covers the Article 89 derogations in Schedule 1, Part 6. To the extent that exercising their rights would prevent or impair scientific research or statistical purposes, data controllers to do not have to give effect to:
- Article 15(1) to (3)
- Article 16
- Article 18(1)
- Article 21(1)
as long as the data is processed in accordance with Article 89(1), as supplemented by section 19 DPA18, and provided (in relation to Article 15(1) and (3)) that the results of the research or any resulting statistics are not made available in a form which identifies a data subject. Some additional exemptions are available in relation to archiving in the public interest.
No review of the impact of the GDPR is complete without those dreaded words, "4% of annual global turnover". That is the most stringent available sanction in the regulatory arsenal of the GDPR and it is safe to say that only the most egregious and persistent breaches of the GDPR are likely to attract that level of penalties. It would, however, be wrong to assume they will be reserved for large businesses. Organisations which are seen to be trying to do the right thing (and can demonstrate that) are less likely to attract the highest sanctions. This goes back to the issue of accountability. If you are doing your best to comply with the GDPR and are demonstrably trying to work with it and cooperate with regulators, then the maximum penalties for breach are unlikely to be issued.
That's a lot of information to take on board
This is a very high level overview of some of the issues life sciences businesses may need to consider when working towards GDPR compliance and detailed legal advice should always be taken. It's worth noting that Brexit won't change anything aside from the issue of data flows from the EEA to the UK (as mentioned above).