15 May How does EU GDPR affect clinical trials globally?
The EU GDPR (General Data Protection Regulation), effective from 25th May 2018, replaces the Data Protection Directive 95/46/EC, is designed to harmonise the data privacy requirements across Europe, to protect and empower all EU citizens data privacy, and to strengthen the way of handling personal data.
Many of the responsibilities and obligations defined by GDPR are not new for companies in the clinical research area. However, there are some new requirements which apply to clinical trials, such as:
1) Informed Consent:
Consent must be explicit, unambiguous, and freely given. It must be specific to each procedure, and only used for those purposes set out in the consent form. The GDPR also introduces stricter requirements including:
- The consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them.
- The records should be kept to show what the trial subjects have consented to, what they were told, and when and how they consented.
- The consent must be easy to withdraw.
These are two different terms that should clearly be defined in the protocol. GDPR defined pseudonymisation as “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.” I.e. when using subject ID, the data belonged to this subject ID are considered as pseudonumised data.
Under the GDPR, pseudonymised data will be a form of personal data and will have to be protected accordingly. I.e. confidentiality and data security provisions are applied to such data in the context of clinical trials in any event.
3) Right to rectification and erasure, to data portability and to access
New rights are introduced including the right to erasure (or right to be forgotten). However, in clinical trials, at the time of withdrawing consent, data already collected, usually will not be deleted from the clinical database, and this should be clearly specified in the consent form. In clinical trials, the subject records will also be kept in a pre-defined period according to applicable requirements and will be destroyed afterwards.
The subject access right may already exist, however, there is an important adjustment under GDPR that allows subjects to gain access to their personal data with no cost and in an immediate way.
4) Handling of EU citizens data by non-EU countries
GDPR applies to all organisations worldwide that are handling EU citizens’ data, and all these organisations will need to act proactively to ensure compliance. Please note that there is no transitional period.
Reference to EU GDPR:
PharmaGCP publishes frequently relevant news related to clinical research, you will be notified about these news by following PharmaGCP on Linkedin; https://www.linkedin.com/company/pharmagcp/