This two-part blog serves to summarize our Medical Device and Diagnostic Solution’s research on General Data Privacy Regulation (GDPR) compliance for medical device sponsors. It does not serve as legal advice; it is a summary of information gleaned by Medical Device and Diagnostic Solutions through a review of the GDPR itself and publically available resources on current interpretations of GDPR compliance. The Medical Device and Diagnostic Solutions recommends that sponsors obtain legal counsel on this topic.
In part I of this blog, we discussed the background of GDPR and key elements for sponsor consideration. In part II, we’ll discuss specific GDPR requirements, including new terms with specific definitions, implications for clinical researchers and sponsors and required elements to include in GDPR-compliant informed consent forms (ICFs).
Informed Consent Process Requirements
There are specific elements related to data privacy that must be included in the data privacy notice. For clinical studies, the easiest method to ensure the information is presented is to include it in the study’s informed consent form (ICF). Consent must be unambiguous, given in writing and cannot be obtained by passive means such as unchecking a pre-checked box. The process for IC can meet all of these stipulations.
Informed Consent Elements
Written consent elements include:
- Identity and the contact information for the data controller (sponsor).
- Contact information for the data protection officer (designated sponsor contact).
- Special categories of “sensitive personal data” that will be collected for the study, such as:
- Age, sex, ethnic and racial background.
- Health and medical conditions including past medical history.
- Study procedures and response to procedures.
- Information related to the participant’s sex life.
- Biological samples (e.g., urine, blood, tissue and the results learned from analyzing them).
- Medical images (e.g., ultrasound scans) and the results learned from evaluating them.
- Data privacy rights:
- The right to request information about the handling of the participant’s data.
- The right to request correction of data if they are inaccurate or incomplete, and to restrict processing while they are being corrected.
- The right to request transfer of data to the participant or others in a commonly used format.
- The right to withdraw consent at any time, including the right to withdraw from study participation, follow-up or further handling of data.
Note: It is acceptable to add a limitation that data already processed are legally covered by the original consent, but no further data will be collected.
- The right to request deletion of the participant’s data if the data are no longer needed, or there is no other legal requirement for their use.
Note: FDA regulations require retention of the participant data for specified periods of time; therefore, it is acceptable to state that data will be kept indefinitely.
- Transfer of data: A statement about the circumstances under which data will be transferred, to whom and safety measures taken to protect the data (e.g., data are encoded).
- If data will be transferred outside the EU: A statement that the countries who are receiving the data may not have had their data protection level confirmed as adequate by the European Commission and any safety measures taken to protect data privacy rights.
Note: The European Commission has not confirmed that the U.S. has an adequate data protection level and does not believe that the U.S. level is adequate under GDPR at this time. However, actions can be taken such that compliance can be achieved on a case-by-case basis.
- The policy for retention of data: A statement describing how long data will be stored (e.g., indefinitely or “in perpetuity”).
- A statement that consent is “freely given,” which must include an active and explicit statement that consent is freely given and can be freely withdrawn easily and without penalty.
- The purpose of the data request: specify that the intent of data collection is “for the scientific purposes of the research.”
Impact on Study Management and Data Collection
- If existing ICFs are not compliant, the sponsor must require re-consent of subjects to continue to collect data going forward.
- Data collected before GDPR are not required to have been collected under GDPR-compliant ICFs.
- If a subject withdraws from a study, the data already collected can still be used and stored indefinitely, as long as this is clearly stated in the ICF.
- Informed consent checklists, if used, should be updated to include GDPR requirements.
- As a sponsor and data controller, you retain the responsibility for onward transfer of data, meaning data protection contracts should be in place with any vendor that accesses or may access personal or sensitive data. These contracts must clearly define all of the aspects of data integrity and security required to comply with GDPR.
The uncertainty and angst surrounding GDPR compliance is akin to that which accompanied the introduction of HIPAA requirements in 2003, but as with HIPAA, time and ongoing discussions have provided clarity on this topic.
The Medical Device and Diagnostic Solutions experts are ready to support you as you delve into GDPR compliance.
- Advarra Regulatory Team. The GDPR and its impact on the clinical research community (including non-EU researchers). Advarra. https://www.advarra.com/the-gdpr-and-its-impact-on- the-clinical-research-community-including-non-eu-researchers/ Accessed 31 Jul 2018.
- Clinical Trial Arena. General Data Protection Regulation: the impact on clinical trials and data subjects. http://www.clinicaltrialsarena.com/uncategorized/general-data-protection-regulation-the- impact-on-clinical-trials-and-data-subjects-5937623-2/ Accessed 31 Jul 2018.
- General Data Protection Regulation (GDPR): https://gdpr-info.eu/ Accessed 31 Jul 2018.
- Gogates G. How does GDPR affect clinical trials? Applied Clinical Trials. http://www.appliedclinicaltrialsonline.com/how-does-gdpr-affect-clinical-trials Accessed 31 Jul 2018.
- Kirsch L. Howe GDPR affects personal data use in in clinical trials. MassDevice. https://www.massdevice.com/how-gdpr-affects-personal-data-use-in-clinical-trials/ Accessed 31 Jul 2018.
- LMK Clinical Research. Is your TMF ready for GDPR? Part two: know your rights. http://www.lmkclinicalresearch.com/blogs/tmf-ready-for-gdpr-part-two/ Accessed 31 Jul 2018.
- Proffitt A. What Europe’s new privacy regulations mean for US trials. Clinical Informatics News. http://www.clinicalinformaticsnews.com/2017/10/24/what-europes-new-privacy-regulations- means-for-us-trials.aspx Accessed 31 Jul 2018.