The General Data Protection Regulation (GDPR) is a data privacy and security law introduced by the European Union that seeks to ensure the fair and proper use of people's personal information, by regulating how businesses process personal data.
Although an EU law, the GDPR imposes obligations on organisations regardless of their geographic location, so long as they target or collect personal data in the EU. Organisations subject to the GDPR are broadly required to comply with the seven overarching principles, which are intended to embody the general spirit of the legislation.
More specifically, the GDPR imposes separate obligations on controllers (those who determine the purposes and means of processing personal data) and processors (those responsible for processing personal data on behalf of a controller). Additionally, the GDPR imparts certain rights on data subjects, and organisations must therefore be aware of how they are required to respond to the exercise of such rights.
Organisations should endeavour to comply with the GDPR as fully as possible, as failure to do so can carry a fine of up to €20 million, or 4% of total worldwide annual turnover, whichever is the greater.
GDPR and the life sciences industry
Since coming into force on 25 May 2018, the GDPR has had a fundamental impact on the life sciences industry. Pharmaceutical and biotechnology organisations frequently make use of personal data, and should therefore be aware of their obligations under the GDPR in order to avoid any regulatory ‘trip wires’. In particular, businesses in the life sciences sector should consider how the GDPR may impact upon:
- Their right to process data
- Medical research; and
- Other regulatory obligations.
The right to process personal data
In order to process personal data in compliance with the GDPR, organisations must first identify a valid lawful ground. There are six lawful bases for processing set out in the GDPR, and the most appropriate ground will be determined by the specific nature of the processing being carried out. Further, where any ‘special category’ data is being processed (e.g. health or biometric data), organisations need to identify both a lawful basis for general processing and satisfy an additional condition, due to the particularly sensitive nature of special category data.
A key area involving significant data processing for Life Sciences companies is medical research. Organisations involved in this area therefore need to ensure that any processing of personal data complies with the seven principles of the GDPR, namely: lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality (security) and accountability. It should however be noted that certain principles apply more flexibly where scientific research is being carried out, for example data can be stored for longer than would otherwise be permissible under the storage limitation principle, provided that appropriate safeguards are in place.
Life sciences businesses should also be aware that the enhanced rights for individuals under the GDPR may also have implications for medical research. For example, individuals have a right to have their personal data erased in certain circumstances, which could extend to research data. That being said, the GDPR does provide an exemption from the right of erasure of personal data for scientific research purposes, insofar as the right of erasure is likely to impair or render impossible the achievement of the research objectives.
Other regulatory obligations
Given the highly regulated nature of the life sciences industry, it is common for organisations’ obligations under the GDPR to overlap with their other regulatory obligations. Most commonly, we see overlaps in relation to clinical trials and pharmacovigilance.
Whereas the GDPR seeks to protect individuals with regard to the processing of personal data, the Clinical Trials Regulations (CTR) aim to greater harmonise the rules for conducting clinical trials throughout the EU. Notwithstanding the data protection provisions set out in the CTR, the European Data Protection Board (EDPB) has confirmed that compliance with the CTR does not mandate any derogation from the GDPR. The EDPB have emphasized in particular that ‘informed consent’ provided under the CTR to participate in a clinical trial is not the same as consent to process personal data under the GDPR. Even where giving informed consent under the CTR is possible, an imbalance of power between the participant and the sponsor/investigator may not enable consent to be ‘freely given’, as required by the GDPR.
Organisations should therefore be careful not to assume that compliance with the CTR will guarantee compliance with the GDPR.
EU pharmacovigilance legislation requires organisations to report the effects of drugs once they have been licensed for use. Whilst the pharmacovigilance legislation provides that it shall apply ‘without prejudice to’ the data protection laws (i.e. the GDPR), there is no corresponding statement in the GDPR, and therefore the GDPR will continue to apply regardless of any pharmacovigilance obligations (albeit in places, compliance with other legal obligations is contemplated by the GDPR).
Though published prior to the advent of the GDPR, the European Data Protection Supervisor has issued guidance on the interplay between pharmacovigilance legislation and data protection laws, offering useful insight.