Is Your TMF Ready For GDPR? Part One: Know Your Roles

This post is the first in a two-part series outlining how the new European Union General Data Protection regulation could impact your Trial Master File.

Since 1995, EU Directive 95/46/EC has provided the foundation for “the protection of individuals with regard to the processing of personal data and on the free movement of such data”. As of this coming May 25th, however, EU Directive 95/46/EC will be replaced by the European Union General Data Protection Regulation (GDPR). Legislators hope that GDPR will reduce the confusion that has resulted from inconsistent region-specific privacy laws within the EU and strengthen the protection of privacy rights in response to the massive expansion and global reach of ‘big data’.

GDPR is notable for two major reasons: scope and severity. GDPR, unlike the 1995 Directive, will not require interpretation by each Member State of the EU.  When passed by the European Parliament, a Regulation becomes binding law across the entire EU. Therefore, when GDPR is fully implemented on May 25th, it will become an enforceable law in each Member State of the EU and no enabling legislation will need to be passed for it to apply locally.

Lending it even greater weight, GDPR is extraterritorial, meaning it applies to any organization that collects or processes personal data of individuals inside the EU, regardless of where the organization is located (unlike the current 1995 Directive).  As a result, with the adoption of GDPR, no longer will “I don’t do business in the EU” be sufficient to avoid the EU’s data handling regulations.  Regarding the severity of GDPR, the penalties for noncompliance are substantial: “fines up to 20,000,000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher”. These significant penalties mean that all impacted industries have no choice but to make GDPR readiness a priority.

Given the new risks, responsibilities, and the massive amounts of data collected by the clinical research industry, it is clear GDPR will have consequences for the TMF. But before we dissect the components of GDPR that have the greatest potential to impact the TMF, let’s first review the basic cast of characters who are affected by GDPR:

Data Subject: “An identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person…”

In the context of clinical research, the individual who would immediately be identified as a data subject is the subject or patient in the trial. But the role of data subject is not limited to the research subject; it also applies to the investigator, site staff, and anyone else who has personally identifiable data collected over the course of the trial (as long as they are within the EU).

Processor: “…a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.

In the context of clinical research, a processor could include any entity who is in contact with the data – from investigator, to CRO, and even vendors.

Controller “…the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”.

In the context of clinical research, Sponsor and CRO could be considered controllers. Vendors or other processors could also be considered a control if a processor is making executive decisions about the processing of the data.

Now that we’ve established the roles within GDPR, let’s examine what actions these roles complete:

Data Subject: Data subjects produce data. Not all data produced by data subjects is considered in the same way by GDPR. Subjects can produce ‘special’ categories of data that are associated with increased regulatory responsibility. These special categories are:

Genetic data: “…personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person…”. Genetic data is routinely generated via specimen collection.

Biometric data: “…personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person…” Biometric data usually refers to fingerprint and facial recognition data that is collected for identification or access control purposes.

Data concerning health: “…personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status”. The majority of data generated by clinical research would be considered data concerning health.

Processor: Processors process data. GDPR defines data processing as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”

As the purpose of clinical research is to collect data in order to process that data in to valuable insights, Sponsor, CRO, and all Vendors who interact with data would be considered processors. Note that the definition of processing is very inclusive:  processing includes administrative tasks such as storage, organization, or disclosure by transmission. The interaction with the data does not need to be complex or necessarily value-added to be considered applicable.

Controller: “…the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data…”

Controllers establish the purpose of the data collection and make decisions about how the collected data is handled. In the context of clinical research, a Sponsor and CRO would usually play the role of the controller. Although controllers share much in common with processors, the key difference between processor and controller is the ability to determine the ‘Why?’ of data collection. With this control of the ‘Why’ of the data, the controller assumes ultimate responsibility and supervisory authority over the data.

Now, equipped with an understanding of these roles, you can begin to assign them to the many stakeholders that contribute to your TMF. By mapping your existing business processes and following the flow of data into (and ultimately out of) the TMF, you have begun the first steps on a journey to achieve GDPR readiness. In our next post, we will take the analysis of these roles one step further, examining how the rights and responsibilities associated with each role could intersect with your current TMF processes. A thorough understanding of these intersections will allow your organization to hone in on potential areas of risk and begin the process of conducting a GDPR gap analysis.

The full text of GDPR is available here.