This regulation has a broad scope beyond companies performing clinical research – all personal data falls under this jurisdiction which includes web search engines, social media, and much more.
But specifically, how does this new regulation affect personal data collected during a clinical trial and what do Sponsors and Contract Research Organizations (CROs) need to do to ensure compliance? Here we aim to address the highlights of the GDPR and its implications on clinical research.
What is the GDPR?
The GDPR was approved by the European Parliament on April 14, 2016 and replaces the Data Protection Directive (DPD) 95/46/EC. The new GDPR expands what is considered to be personal data (i.e. any data that can be used to potentially identify a person).
Who does the GDPR apply to?
The GDPR applies to all EU citizens. Thus, any Sponsor or CRO that collects information from these individuals, even if that Sponsor or CRO is not located in the EU, is subject to the rules of the GDPR.
How does the GDPR define personal data?
Similar to the U.S. Health Insurance Portability and Accountability Act (HIPAA), identifiers such as name, social security numbers, addresses, date of birth, and electronic medical numbers all constitute personal information. However, the GDPR expands the personal data definition from the DPD to include information such as location information, genetic data, IP addresses, and e-mail addresses. In sum, any data that could potentially be used to directly or indirectly identify a person is considered personal data.
How will the GDPR affect your clinical trial?
It is important to understand what personal data means, and what the difference is between anonymous data and pseudonymized data. You have to keep the GDPR in mind, when approaching study staff and patients for participation in your clinical trial.
The rules regarding data transfer and data storage are also more strict, so take into consideration who will have access to your clinical data and to which countries the data will be transferred. Make sure that you have the necessary safeguards in place to provide adequate protection for the data subject and to be compliant with the GDPR.