GDPR stands for ‘General Data Protection Regulation’. It is a new set of guidelines that safeguards the personal data of the EU citizens. It enforces stringent rules to control and process personally identifiable data. GDPR came into force on May 25, 2018. There are several crucial regulations which include fines, breach notices, informed consent processes, and responsibilities for data transfer outside the EU. This will change the way patient data is collected, stored, and used.
Personal data: Personal data is any information that can directly or indirectly identify a person (data subject), in particular by a name, an identification number, location data or more factors specific to the physical, mental, or social identity of that person/data subject.
Informed consent: Any ‘party’ collecting or processing data globally from an EU citizen involved in a clinical study is subject to GDPR compliance. It is essential that a signed Informed consent be acquired from the subjects before the start of the clinical study. The informed consent form should enclose clear details on the transfer of study data to non EU countries with different/less strict data protection regulations. When a volunteer or patient signs the informed consent form, it should be clear what data is being collected, for what purpose, and for how long it will be stored. The sponsors and CROs must ensure they are handling and storing the minimum amount of data required for the purpose consented to. So, when dealing with clinical studies even when data is anonymized and there is no monitoring involved, an Informed consent is required.
Data processing outside the EU: The GDPR controls the transfer of personal data outside the European Union, since third countries are likely to have less strict regulations around data-protection. The subject should be informed and consent must be acquired when their data is handled and processed by a data processor from a third country.
Data protection officer: The role of a Data Protection Officer is a distinct one within the GDPR —a person registered with the data protection agencies (DPA) in a specific country. It is the obligation of the sponsor to delegate a Data Protection Officer who acts as an interface between the organizations and the company, and also the point of contact for data subjects who they can get in touch with if there are any data breaches.
Conclusion: The impact of the GDPR is probably limited in clinical studies because most components are already addressed in the clinical study’s informed consent. But, one may need to pay attention in rendering a more explicit informed consent form addressing the purpose of the data being used with information stating that their data may be processed in a third country, the roles and responsibility of the study sponsor, and the data processors (CROs in this case) and points of contact in case of any breach involving the personal data.
Sponsors and CROs must ensure that their internal policies are aligned with the new GDPR regulations and must have their plan ready accordingly. It is important to identify reliable partners to make sure that clinical studies are conducted as per the latest regulatory standards and are of the highest quality.