First the bad news. As long as health care-related data remains a valuable commodity, security breaches and data theft will persist. The good news is global regulatory agencies are ramping up their cybersecurity measures in an effort to restore relevance to the “protection” component of protected health information (PHI).
The European Union (EU) Parliament is preparing to go live with set of strict new rules around protecting personal data belonging to clinical trial participants (data subjects) and health care patients. This legislation, known as the General Data Protection Regulation (GDPR), was adopted by the EU in 2016 as an update to the previous data protection directive established in 1995. The EU Parliament has underscored the urgency of this measure by enforcing a deadline of May 25, 2018, when all companies that collect and process data on citizens in EU countries, including the U.K., must be in compliance with the new rules.
The aim of GDPR is to both expand the privacy rights of data subjects involved in clinical trials and protect EU citizens from personal data compromises. It also regulates the processing and exportation of personal data stored within the EU, whether or not the data subjects are EU citizens.
One goal of GDPR is to harmonize data privacy laws across Europe.1 While individual countries can choose to add more restrictive measures, a part of the regulation that must remain consistent across all countries is that companies will need the same level of protection for an individual’s:
Many of the GDPR requirements apply specifically to information security, which means your company may need to modify your current security systems and protocols.
The GDPR requirements apply to both controllers and processors of personal data, which by definition is any information that can directly or indirectly identify a person. A controller determines the purposes, conditions and means of processing personal data. A processor processes the personal data on behalf of a controller.
Territorially, the GDPR applies to all organizations located within the EU. It also applies to organizations located outside of the EU that process the personal data of EU citizens.2
Clearly, the GDPR is significantly different from its 1995 predecessor. The emphasis on data privacy is still the central priority of the directive, but regulatory policies have been updated to better align with advanced technologies and best practices.
The GDPR regulations are much like the FDA 21 CFR requirements. All standard operating procedures (SOPs) must match the requirements outlined in the GDPR just as much as those of any other regulatory agency. Also, as a sponsor organization, you are ultimately responsible for making sure all companies you exchange data with comply with the regulations.
The GDPR does not specify how your organization should collect and store data. However, the guidelines specify that you need to be aware of the type and how much data you collect as well as the whereabouts of all data you store and process. Further, you need to fully understand the risks and mitigation measures involved with your data handling processes. It’s important to avoid any blind spots in any aspect of your data management. To comply with the GDPR, you must be able to clearly identify:
You also must be able to account for and secure communication between all systems, including:
The GDPR requirements have both strengthened and simplified the consent processes. Consent requests can no longer be lengthy and ambiguous. Instead, your request forms must be easily accessible and use clear and plain language.2 Other consent policies include:
Data Protection Officer
A data protection officer (DPO) is tasked with ensuring that data management and handling are compliant with the GDPR.
The GDPR cites specific circumstances where an organization is required to appoint a DPO to oversee all record keeping and data processing activities. A DPO is mandatory only for those controllers and processors whose core activities consist of engaging in large-scale systematic monitoring or that engage in large-scale processing of sensitive information.2
Still, a best practice is that anytime your company possesses and handles personal data, you should have a DPO. Here are some guidelines to follow for appointing a DPO:
Data Breach Notification
In the event of a data breach, notifying authoritative officials is mandatory within 72 hours of discovering the breach. Processors will also be required to notify their customers within the same timeframe. If notification is delayed, a documented reason for the delay must accompany the notification.
A critical part of GDPR compliance is communication and education of employees. Companies need to educate all employees not only about the GDPR, but about organizational policies around IT and data security. GDPR compliance is just as much about technology as it is about process improvements.
Compliance with the GDPR is mandatory for all EU countries by May 25, 2018. Penalties for noncompliance could result in fines of up to $20 million euros or up to 4 percent of the company’s annual income. The penalty structure has a tiered approach to fines. For example, a company can be fined 2 percent for not having its records in order, not notifying authorities in the event of a breach or not conducting an impact assessment.
At first glance, achieving GDPR compliance might seem out of reach. However, when broken down, most of the requirements for compliance can be accomplished with effective quality management. Implementing an integrated electronic quality management system (eQMS) can help with managing various aspects of regulatory compliance, including:
Mandatory compliance with GDPR is currently concentrated within the EU region. However, because of the criticality of maintaining data privacy and security, it won’t be long before the GDPR standard extends beyond the EU.
David Jensen is a marketing communication specialist at MasterControl. He has been writing technical, marketing and public relations content in technology, professional development, business and regulated environments for more than two decades. He has a bachelor’s degree in communications from Weber State University and a master’s degree in professional communication from Westminster College.