Is Your TMF Ready For GDPR?Part Two: Know Your Rights
In our last post on the European Union General Data Protection Regulation (GDPR) we examined the primary roles found within the regulatory framework of GDPR: data subject, processor, and controller. Taking the first step to achieve GDPR readiness, we began to assign these roles to the existing entities involved in creating, processing, and directing the movement of data into and out of the TMF. Assigning these roles, however, only begins the process of preparing a TMF for GDPR compliance.
When GDPR becomes fully implemented on May 25th, beyond establishing the roles we’ve previously discussed, it will launch a schema of relationships built on a new set of rights assigned to data subjects. These data subject rights serve as the foundation of the regulation and inform the responsibility of the other roles within GDPR. The rights of data subjects (adapted here from Article 15 of GDPR) can be divided into seven fundamental rights:
- Right to Access: The subject has the right to obtain his or her data from a controller.
- Right to Rectification: The subject has the right to expedient correction of erroneous data.
- Right to be Forgotten: The subject has the right to expedient deletion of his or her data (specifically within 30 days).
- Right to Restriction: The subject has the right to restrict data processing in the event of a dispute.
- Right to be Informed: The subject has the right to transparent communication about the purpose and status of his or her data.
- Right to Portability: The subject has the right to collect his or her data in an organized way and in a portable format.
- Right to Opt-Out: The subject can opt out of data processing at any time – even if that processing is automated.
This article will focus on the rights and guarantees to data subjects that differ most from U.S. privacy laws and the current Data Protection Directive 95/46/ec, specifically the right to be forgotten, the right to portability, and the consent of the subject (which is the basis of lawful processing of the subject’s data). These points of difference represent the areas for which U.S. entities will likely need to make changes to their business operations to become GDPR compliant.
You might recognize that many of these rights assigned to data subjects are already guaranteed under the principles of informed consent. Consent is also an important principle within GDPR, and is defined as, “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” Affirmative consent is the basis for lawful data processing under GDPR.
Based on GDPR’s new high standards of consent, there are a few key unknowns that the pharmaceutical and clinical trial industry should pay close attention to. These items are of special consequence for the TMF, as the documentation of consent is among the core functions of a TMF:
- No longer will failure to complete an action be considered implied consent. Although the main consent process of a clinical trial includes positive affirmation of consent by the subject, do the policies of vendors (who may be considered processors) contain ‘opt out’ language that would not be GDPR compliant?
- As GDPR may potentially present a higher burden of consent than a region’s current regulations, must subjects be re-consented once GDPR takes effect?
- GDPR sets higher standards for the processing of the data of minors and potentially vulnerable individuals. GDPR mandates that parental consent be achieved before data can be processed. The onus is on the processor of the data to validate the guardian’s consent. GDPR, however, does not standardize the age of consent across the EU nor specify what constitutes proper documentation of valid consent by a guardian. How will this impact pediatric studies?
- GDPR mandates that consent must be ‘granular’, meaning that the data subject can choose to what extent their data is processed. This means that current consent documents may be considered too broad to be GDPR compliant. If granular consent is allowed, is the current protocol and data collection process robust and flexible enough to adapt?
- As a result of GDPR, will a trial’s current process to withdraw consent be considered non-compliant due to the burden it places on the subject? Essentially, is it too hard for the subject to withdraw complete consent?
- Will all data processing activities and processors need to be listed on the consent form? Is it possible to list them in an understandable way?
- What if the purpose for collecting data is not known at the time of the consent?
Forgetfulness and Portability
In addition to a new level of scrutiny surrounding consent, there are a few other new rights gained by data subjects that will require immediate action:
- The right to be forgotten seems to guarantee that data must be hastily erased if the subject decides to withdraw consent. GDPR does provide a possible exception to this rule, in Article 89, for purposes, “in the public interest, scientific or historical research purposes or statistical purposes”, but the boundaries of this potential exception have not been fully defined. Deletion of a subject’s data in certain situations, consider after database lock, for example, could seriously impact statistical analysis, regulatory submissions, or even jeopardize patient safety.
- The right to portability also presents challenges to clinical research. With this right, data subjects must be able to easily obtain and reuse their personal data. In the context of clinical research, subjects could at any time, request that their Case Report Forms (CRFs) be delivered to them in a portable format. Paper CRFs, therefore, would need to be transcribed, and eCRFs held or converted in a standard medical record format.
Having unpacked the rights of the data subject, it is also essential to remember that GDPR applies to any kind of organization that uses or processes data and is not specifically targeted to clinical research or any one industry. The increased scope of GDPR represents a paradigm shift in certain industries but does not significantly alter the overall regulatory landscape of handling clinical data.
The basic rights and principles guaranteed by GDPR are already guaranteed by HIPAA, local privacy laws, ICH GCP, Federal Regulations, and the ethical principles from the formative documents of clinical research ethics (like the Nuremberg Code and Belmont Report). But, although the principles of GDPR may be similar to those adopted by clinical research, it is essential to recognize that the concerns and goals of GDPR and clinical research do not converge in all areas. GDPR’s ultimate goal is to return control of personal data back to the citizens of the EU. The goal of clinical research is to collect health data—balancing the potential for collective benefit with the risk to the individual. Recognizing the power and importance of aggregated data, especially health data, it is clear GDPR will greatly influence the future of clinical research, but the short-term effects are difficult to ascertain. Gaining a greater understanding of the rights GDPR affords to subjects offers the greatest insight into how clinical research, and the TMF, may change after May 25th.
In the third and final installment of the series, we will adopt the point of view of the data processor and controller. We will examine how an organization’s exposure to GDPR could shift depending on their location and their selection of vendors. We will also discuss the new responsibility data controllers must assume for their processors – whether internal or external. Finally, we will discuss the importance of pseudonymization to clinical research, and the new role of data protection officer.
The full text of GDPR is available here.