Why Should GDPR Matter to all Clinical Research Firms?

Since the beginning of 2018, there has been a growing interest from pharmaceutical and biotech firms in the United States regarding the basic tenets of the European Union’s (EU) new General Data Protections Regulation (GDPR) law. With more than 50 percent of all U.S.-based businesses affected, the pharmaceutical industry is not exempt. GDPR’s widespread effects touch almost every clinical research and pharmaceutical firm – no matter where they are based or what type of work they are doing.

GDPR officially goes into effect on May 25, 2018, and it was put into place to protect the personal data of EU citizens due to collection of data by governments, and sale of personal data for commercial and marketing purposes. Importantly, GDPR protects all EU citizens regardless of where they live; and it includes any data that can be used to identify a natural person (i.e. data subject, person) whether it be directly through primary identifiers such demographics, or indirectly through quasi-identifiers such as clinical study location combined with age or other delimiting information.

In light of recent data breaches that have affected millions, the Regulation necessitates gaining individual permission for data collection, and it contains requirements for processing agreements, data sharing, and transport of data between countries. Although, each EU member state will have authority to implement additional or stricter safeguards around the data collected by firms within their boundaries or about their citizens, GDPR is meant to be a basic set of requirements common to all.

GDPR covers EU citizens abroad
Pharmaceutical industry firms are learning that it does not matter where the headquarters of their firms are located when it comes to enforcement of GDPR. If they collect or process data on any EU citizen – regardless of their place of residence – firms are required to follow GDPR, at a minimum, in regards to that citizen’s data.

Moreover, it does not matter if a company even has a legally registered location in the EU. Since most pharmaceutical companies regularly do business in the EU, or have equipment situated in the EU which is used to collect, process, or store data, they are bound by GDPR as it pertains to that data regardless of the citizenship of the data subjects. To further complicate the issue, EU citizens do not have to self-identify to be fully protected by the regulation.

If, for instance, a French citizen living in the U.S. enrolls in a clinical research study run by a US-based sponsor and supported by US-based CROs, GDPR applies. This is the case even if none of the equipment or operations are actually in the EU, and all firms involved in the clinical research study are bound to comply with the Regulation with regards to this person’s data.

Next steps for pharmaceutical companies
The easiest way to ensure that you are protecting all of the data appropriately in each of these scenarios is to apply GDPR requirements uniformly across all data collected and processed. Do this globally, regardless of the location of the study or firms involved in clinical research efforts.

Pharmaceutical and biotech firms can also work with internal and external IT, auditing, and compliance experts to holistically discuss any and all steps to comply with the Regulation. This group may assess, review and finalize all procedures, perform a gap analysis, and develop templates and procedures, among other things.

Europe has historically been on the forefront of privacy protection for its citizens. Once GDPR is officially in place, it will be eye-opening to see where non-compliance issues exist and the extent to which they are found. As an industry, every company with a stake in pharmaceuticals should explicitly follow GDPR for every study, every time.

by Barbara Rusin

About the author
Barbara A. Rusin is Regulatory Compliance Manager at MMS, providing technical oversight and direction to a global regulatory team, spread across four continents. Prior to MMS, Barbara was a Bioresearch Monitoring Investigator with the Food and Drug Administration’s (FDA) Detroit office. Connect with Barbara on LinkedIn here.