GDPR and Human Data Samples: Being ‘somewhat prepared’ is not enough
pharmafile | September 14, 2017 | Feature | Business Services, Manufacturing and Production, Medical Communications, Research and Development, Sales and Marketing | GDPR, biotech, data, drugs, pharma, pharmaceutical
Thomas Hirse, Partner, and Paetrick Sakowski, Associate, CMS, discuss what pharmaceutical companies need to be aware of ahead of the GDPR deadline.
The 25th May 2018 will be a critically important date for the UK. Whilst for some, that Friday purely signifies the first day of the Spring Bank Holiday, pharmaceutical companies will immediately recognize it as the inauguration of the General Data Protection Regulation (GDPR).
Yet despite the approaching date, the government’s annual FTSE 350 Cyber Governance Health Check Report, published in July, revealed worrying statistics: although almost three quarters of respondents said they were ‘somewhat prepared’ to meet the GDPR requirements, only 6% reported being ‘completely prepared’. Those in the biotech industry must take note; the GDPR is going to affect either your company, or how companies handle you. Total preparation is vital.
So why do we need a new data protection regulation? It is clear that the previously out-dated legal standards have struggled to keep up with the increasingly digitalised data processing systems; an updated European legislation that can match the technological advancements is critical. When dealing with intrinsically personal data, companies must be able to protect this data from cyber-attacks and other online threats, or at least permit the subject to knowingly allow for the collection of their data and the surrounding risks.
What is the objective of the GDPR? Well, the official EU GDPR website states the following: ‘[the GDPR] was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy’. In short, the new regulation is going to protect personal data in terms of how it is processed, and this will include sensitive health, genetic or biometric data. The GDPR will further embody a consistent pan-European regulation to hopefully reduce demand on company resources in the long-term. While Member States still have scope for national provisions, harmonization facilitates data protection compliance for internationally operating companies. Germany has already passed a revised law on data protection while the UK government has announced a new Data Protection Bill.
And whom does it apply to? The GDPR will apply to all EU members including the UK, Brexit or not. However, this does not mean that the new system is limited to the EU; indeed it will also apply to companies that operate outside of the EU and provide human samples such as tissue, blood or gene sequences and related clinical data or related research services for EU subjects. Data protection compliance will also have to be ensured for ongoing projects, which is why companies need to start paying attention now. The countdown to the GDPR will include a revision of contractual relations between biobanks, research facilities or service providers (e.g. genome sequencers).
It is important then, that the UK’s biobanking and research sector takes note of the new legislation and implements the necessary standard operating procedures (SOPs). Researchers who tend to rely on the ‘freedom of sciences’ and the good intentions of medical progress will have to be sensitised for this matter. Indeed human samples and related clinical data that are collected by biobanks for research purposes will be regarded as particularly sensitive under the GDPR, which may also concern research results obtained from these sources and of course their publishing.
So what’s most important? In terms of data collection, the main requirement concerns informed consent and the rights of data subjects, which links back to the notion of ‘empowerment’ for EU citizens. Patients will have to be asked explicitly in ‘clear and plain language’ whether they consent to the use of their samples for specific research purposes. Explicit consent versus non-explicit consent can be described simply as a positive action of opting in, as opposed to having to opt out, i.e. actively checking a box online agreeing to distribution of data. Subjects will also have the right to access the data or withdraw their consent, in other words the ‘right to be forgotten’.
Companies will then have to prove that they are compliant with the new law through establishing transparent data protection procedures and will also be liable for controlling their external data processors and implementing necessary provisions in their contracts.
In terms of existing collections of samples or personal data, a diligent assessment of the given consent has to be made in order to ensure data protection compliance. Otherwise, companies face the risk that human samples or related clinical data may be considered illegal for use in further research, and damages will have to be paid to the donor. We have seen cases in the U.S. where patients and scientists claimed rights in tissue samples (e.g. Washington University v. Catalona and Moore v. Regents of the University of California). Company ignorance of the legal situation could fuel similar claims in the EU.
So could the GDPR limit research potential or ability in the EU? Possibly. Companies that deal with human samples will have to prove to the authorities that they have sufficiently considered the legal implications and implemented the necessary SOPs. These SOPs also have to cover various other legal aspects of dealing with human samples such as biological safety, limitations of stem cell research, requirements of ethics committee votes and transfer of material and data. It also has to be seen to what extent the question of ‘freedom of sciences’ will exempt companies and researchers from the strict GDPR regime. In the case of research on severe illnesses, the boundaries of the ethical ambit must be determined, should data protection supersede the scientific freedom to operate. Companies will thus have to decide where to draw the line, posing a major challenge for authorities and courts up to the CJEU.
And what will the cost of incorporating the GDPR be for individual companies? This will depend on various factors such as the business model, character, and extent of personal data processing, and the need for technical and organisational data protection measures. Costs will include a mandatory data protection impact assessment for large-scale processing of sensitive personal data, as well as the development of a comprehensive privacy breach response plan in case of a security incident. The source of the breach and the nature of the data affected will have to be identified, and the threat eradicated- fast.
However, although the costs and organisational efforts of ensuring companies stay compliant with the GDPR might be high, the hefty price of non-compliance is far greater. Those who are not compliant risk being fined up to €20,000,000 or 4% of annual global turnover- whichever is higher. This is a dramatic increase in the weight of the penalty. Although fines did exist before, the amount was negligible and did not effectively deter companies from implementing lax data protection regulation.
To conclude, companies cannot afford noncompliance and the results of the government’s cyber health check report point to a perturbing level of laxity in the countdown to the 25th of May. Companies that deal with human samples and clinical data must ensure they have implemented the necessary SOPs and have taken into consideration all legal implications of the GDPR. Being unprepared could cost millions; ‘somewhat prepared’ is clearly not enough.
Authors of the piece: Thomas Hirse (left) and Paetrick Sakowski (right).
The technological pharmaceutical company IMIDEX has been granted clearance from the US Food and Drug …
On 16 August 2023, the US Food and Drug Administration (FDA) officially cleared Artiva Biotherapeutics’ …