GDPR Deadline Approaches: What Is Expected for Compliance?

First the bad news. As long as health care-related data remains a valuable commodity, security breaches and data theft will persist. The good news is global regulatory agencies are ramping up their cybersecurity measures in an effort to restore relevance to the “protection” component of protected health information (PHI).

The European Union (EU) Parliament is preparing to go live with set of strict new rules around protecting personal data belonging to clinical trial participants (data subjects) and health care patients. This legislation, known as the General Data Protection Regulation (GDPR), was adopted by the EU in 2016 as an update to the previous data protection directive established in 1995. The EU Parliament has underscored the urgency of this measure by enforcing a deadline of May 25, 2018, when all companies that collect and process data on citizens in EU countries, including the U.K., must be in compliance with the new rules.

What is the General Data Protection Regulation?

The aim of GDPR is to both expand the privacy rights of data subjects involved in clinical trials and protect EU citizens from personal data compromises. It also regulates the processing and exportation of personal data stored within the EU, whether or not the data subjects are EU citizens.

One goal of GDPR is to harmonize data privacy laws across Europe.¹ While individual countries can choose to add more restrictive measures, a part of the regulation that must remain consistent across all countries is that companies will need the same level of protection for an individual’s:

• Basic identity information, such as name, address and ID numbers.
• Web data, such as IP address and cookie data.
• Biometric data.
• Racial or ethnic data.
• Political opinions.
• Sexual orientation.
• Human tissues (also considered private protected information).

Many of the GDPR requirements apply specifically to information security, which means your company may need to modify your current security systems and protocols.

Who and What Will be Affected by GDPR?

The GDPR requirements apply to both controllers and processors of personal data, which by definition is any information that can directly or indirectly identify a person. A controller determines the purposes, conditions and means of processing personal data. A processor processes the personal data on behalf of a controller.

Territorially, the GDPR applies to all organizations located within the EU. It also applies to organizations located outside of the EU that process the personal data of EU citizens.²

What is Required for GDPR Compliance?

Clearly, the GDPR is significantly different from its 1995 predecessor. The emphasis on data privacy is still the central priority of the directive, but regulatory policies have been updated to better align with advanced technologies and best practices.

The GDPR regulations are much like the FDA 21 CFR requirements. All standard operating procedures (SOPs) must match the requirements outlined in the GDPR just as much as those of any other regulatory agency. Also, as a sponsor organization, you are ultimately responsible for making sure all companies you exchange data with comply with the regulations.

Data Handling

The GDPR does not specify how your organization should collect and store data. However, the guidelines specify that you need to be aware of the type and how much data you collect as well as the whereabouts of all data you store and process. Further, you need to fully understand the risks and mitigation measures involved with your data handling processes. It’s important to avoid any blind spots in any aspect of your data management. To comply with the GDPR, you must be able to clearly identify:

• All data from every data subject and every external organization that provides data to you.
• How you will use personal data.
• If you are transferring data, where data is transferred and what safeguards are in place during data transfer.
• The location of all your servers and which servers are used specifically for storing, processing and transferring data.

You also must be able to account for and secure communication between all systems, including:

• Servers
• Workstations
• Data warehouses
• Mobile devices
• Wearable devices

Consent Policies

The GDPR requirements have both strengthened and simplified the consent processes. Consent requests can no longer be lengthy and ambiguous. Instead, your request forms must be easily accessible and use clear and plain language.² Other consent policies include:

• Data subjects must be able to withdraw their consent as easily as it was to give it in the first place.
• Data subjects are allowed to request data removal. Note that data must remain available for medical providers for a certain amount of time. Medical providers need to inform data subjects of the timeline for when data will be removed, which must be within a reasonable timeframe.
• Data subjects should have the right to have their data erased and no longer processed or disseminated.
• Data subjects should have the right to a copy of their data free of charge.

Data Protection Officer

A data protection officer (DPO) is tasked with ensuring that data management and handling are compliant with the GDPR.

The GDPR cites specific circumstances where an organization is required to appoint a DPO to oversee all record keeping and data processing activities. A DPO is mandatory only for those controllers and processors whose core activities consist of engaging in large-scale systematic monitoring or that engage in large-scale processing of sensitive information.²

Still, a best practice is that anytime your company possesses and handles personal data, you should have a DPO. Here are some guidelines to follow for appointing a DPO:

• You do not need to create a new position. A quality manager would be a good fit for the role as long as there is no conflict of interest between the DPO tasks and the person’s other duties.
• The DPO must be thoroughly knowledgeable of all regulatory guidelines, laws and best practices.
• The DPO must be able to provide expert recommendations.
• Companies have the option to use an external DPO.

Data Breach Notification

In the event of a data breach, notifying authoritative officials is mandatory within 72 hours of discovering the breach. Processors will also be required to notify their customers within the same timeframe. If notification is delayed, a documented reason for the delay must accompany the notification.

Employee Training

A critical part of GDPR compliance is communication and education of employees. Companies need to educate all employees not only about the GDPR, but about organizational policies around IT and data security. GDPR compliance is just as much about technology as it is about process improvements.

What Are the Consequences for Noncompliance?

Compliance with the GDPR is mandatory for all EU countries by May 25, 2018. Penalties for noncompliance could result in fines of up to $20 million euros or up to 4 percent of the company’s annual income. The penalty structure has a tiered approach to fines. For example, a company can be fined 2 percent for not having its records in order, not notifying authorities in the event of a breach or not conducting an impact assessment.

Conclusion

At first glance, achieving GDPR compliance might seem out of reach. However, when broken down, most of the requirements for compliance can be accomplished with effective quality management. Implementing an integrated electronic quality management system (eQMS) can help with managing various aspects of regulatory compliance, including:

• Managing and ensuring the integrity and security of large amounts of data.
• Demonstrating compliance with the requirements involving controllers and processors.
• Overseeing the compliance efforts of suppliers.
• Ensuring all training requirements are complete and up to date.

Mandatory compliance with GDPR is currently concentrated within the EU region. However, because of the criticality of maintaining data privacy and security, it won’t be long before the GDPR standard extends beyond the EU.

References

1. “Regulation (EU) 2016 of the European Parliament and of the Council (General Data Protection Regulation),” http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf
2. “The European Union (EU) General Data Protection Regulation (GDPR) Portal,” https://www.eugdpr.org/key-changes.html.