This two-part blog serves to summarize the Medical Device and Diagnostic Solution’s research on General Data Privacy Regulation (GDPR) compliance for medical device sponsors. It does not serve as legal advice; it is a summary of information gleaned by our Medical Device and Diagnostic Solutions through a review of the GDPR itself and publicly available resources on current interpretations of GDPR compliance. The Medical Device and Diagnostic Solutions recommends that sponsors obtain legal counsel on this important topic.
In part 1 of this blog, we will discuss the background of GDPR and key elements for sponsor consideration. In part 2, we will discuss specific GDPR requirements, including new terms with specific definitions, implications for clinical researchers and sponsors and required elements to include in GDPR-compliant informed consent forms (ICFs).
The new GDPR went into effect in the European Union (EU) on May 25, 2018. This broad legislation covers many aspects of personal information protection and confidentiality but information and guidance on its application to clinical research are very limited; clinical trials are only mentioned twice in the regulation. Although the regulation is specific to the EU member countries, the United Kingdom (UK) will remain impacted by GDPR requirements, even upon exit from the EU. At that time, the UK will become a ‘third country’ along with other non-EU countries.
GDPR and Clinical Trials
The previous EU privacy law, EU Directive 95/46/EC, has been superseded by GDPR. GDPR is intended to harmonize data privacy laws across the EU and to protect the privacy of all individuals while they are in the EU. GDPR is extra-territorial, meaning it applies to any organization that collects or processes personal data of individuals inside the EU, regardless of where the organization collecting or processing is located. GDPR covers EU residents and non-residents residing in or visiting the EU if their study data are collected while they are in the EU.
A U.S. study subject travels to the EU and is wearing an activity monitor; if activity monitor data are collected while the subject is in the EU, the subject must have given GDPR-compliant consent for the sponsor to collect those data.
GDPR-covered data are now broader than personal information coverage under previous legislation and include genetic and biometric data. Under GDPR, certain information must be provided to individuals before their personal data are obtained, such as the identity and contact details of the data controller (i.e., the sponsor), the contact details of the data protection officer (the designated person within the sponsor organization), the purposes and legal basis for data processing, the recipients of the data, how long the data will be stored and the individual’s rights under the legislation. Children at least 16 years old can provide consent under GDPR, but if under 16 years old, consent must be granted by the holder of parental responsibility over the child.
In our next blog, we’ll explore new GDPR terminology and critical elements to include in GDPR-compliant informed consent forms.
The Medical Device and Diagnostic Solutions consultants are available to help you navigate GDPR.
- Advarra Regulatory Team. The GDPR and its impact on the clinical research community (including non-EU researchers). Advarra. https://www.advarra.com/the-gdpr-and-its-impact-on- the-clinical-research-community-including-non-eu-researchers/ Accessed 31 Jul 2018.
- Clinical Trial Arena. General Data Protection Regulation: the impact on clinical trials and data subjects. http://www.clinicaltrialsarena.com/uncategorized/general-data-protection-regulation-the- impact-on-clinical-trials-and-data-subjects-5937623-2/ Accessed 31 Jul 2018.
- General Data Protection Regulation (GDPR): https://gdpr-info.eu/ Accessed 31 Jul 2018.
- Gogates G. How does GDPR affect clinical trials? Applied Clinical Trials. http://www.appliedclinicaltrialsonline.com/how-does-gdpr-affect-clinical-trials Accessed 31 Jul 2018.
- Kirsch L. Howe GDPR affects personal data use in in clinical trials. MassDevice. https://www.massdevice.com/how-gdpr-affects-personal-data-use-in-clinical-trials/ Accessed 31 Jul 2018.
- LMK Clinical Research. Is your TMF ready for GDPR? Part two: know your rights. http://www.lmkclinicalresearch.com/blogs/tmf-ready-for-gdpr-part-two/ Accessed 31 Jul 2018.
- Proffitt A. What Europe’s new privacy regulations mean for US trials. Clinical Informatics News. http://www.clinicalinformaticsnews.com/2017/10/24/what-europes-new-privacy-regulations- means-for-us-trials.aspx Accessed 31 Jul 2018.