GDPR is coming: is pharma ready?
12th December 2017
Few industries are more heavily regulated than the pharmaceutical industry, and in just a few months from now, there will be even more legislation to comply with.
Taking effect on May 25, 2018, the EU’s General Data Protection Regulation (GDPR) will strengthen the protection of personal data of all individuals residing within the EU. The regulation will apply even if the company itself is not based in or does not have a presence in the EU, and covers data that is exported outside of the EU.
This increase in territorial scope is just one way in which GDPR supersedes the Data Protection Directive that has been in place for the past two decades. Other changes include more severe penalties, where organisations in breach of GDPR can be fined up to 4% of annual global turnover or €20 million (whichever is greater) for the most serious breaches, such as having insufficient customer consent to process data. There is also a need for increased clarity around consent, requiring clear and plain language and ensuring it is as easy to withdraw consent as it is to give it. Pertinent to pharma is also the updated definition of personal data, which now includes genetic data, as well as online identifiers and location data.
Of course, pharma is no stranger to data protection! Already, patients are required to actively opt into the data collection process, and it is standard practice to pseudonymise clinical trial data by replacing names and other obvious identifiers with codes. But eliminating wider personal information, such as gender or date of birth, would make it impossible to stratify clinical data by patient demographics, for example. Further, the added principle of ‘data minimisation’ – collecting only as much data as you need to get the job done, and not repurposing data without obtaining further consent – could certainly prove problematic when it comes to retrospective or post-hoc analyses.
The new regulation will also give patients the right to have their personal data deleted, known as the right to be forgotten, and this is where things get really tricky. The global nature of modern clinical research involving multiple stakeholders means that trial data can get decentralised very quickly, being shared among CROs, hospitals, researchers and statisticians, often in different countries. Even when the flow of information is tightly controlled, retracting it completely becomes a mammoth task.
Companies that use personal data for research purposes may avoid some of the restrictions surrounding data processing, data erasure and obtaining consent, as long as safeguards such as data minimisation are in place. However, GDPR does not specifically define what is meant by ‘scientific research’, and there is likely to be a divide between the rules for public-interest research and research for commercial gain.
So, while it may be tempting to bury your head in the sand, with just a few months to go it’s important to get familiar with GDPR now.
Alternatively, book a live demo of our new GDPR game, designed to ensure your team know their stuff in good time for the data shake-up.