GDPR and data privacy

Since the beginning of 2018, there has been a growing interest from pharmaceutical and biotech firms in the United States regarding the basic tenets of the European Union’s (EU) new General Data Protections Regulation (GDPR) law. With more than 50 percent of all U.S.-based businesses affected, the pharmaceutical industry is not exempt. GDPR’s widespread effects touch almost every clinical research and pharmaceutical firm – no matter where they are based or what type of work they are doing.

GDPR officially goes into effect on May 25, 2018, and it was put into place to protect the personal data of EU citizens due to collection of data by governments, and sale of personal data for commercial and marketing purposes. Importantly, GDPR protects all EU citizens regardless of where they live; and it includes any data that can be used to identify a natural person (i.e. data subject, person) whether it be directly through primary identifiers such demographics, or indirectly through quasi-identifiers such as clinical study location combined with age or other delimiting information.

In light of recent data breaches that have affected millions, the Regulation necessitates gaining individual permission for data collection, and it contains requirements for processing agreements, data sharing, and transport of data between countries. Although, each EU member state will have authority to implement additional or stricter safeguards around the data collected by firms within their boundaries or about their citizens, GDPR is meant to be a basic set of requirements common to all.

GDPR covers EU citizens abroad
Pharmaceutical industry firms are learning that it does not matter where the headquarters of their firms are located when it comes to enforcement of GDPR. If they collect or process data on any EU citizen – regardless of their place of residence – firms are required to follow GDPR, at a minimum, in regards to that citizen’s data.

Moreover, it does not matter if a company even has a legally registered location in the EU. Since most pharmaceutical companies regularly do business in the EU, or have equipment situated in the EU which is used to collect, process, or store data, they are bound by GDPR as it pertains to that data regardless of the citizenship of the data subjects. To further complicate the issue, EU citizens do not have to self-identify to be fully protected by the regulation.

If, for instance, a French citizen living in the U.S. enrolls in a clinical research study run by a US-based sponsor and supported by US-based CROs, GDPR applies. This is the case even if none of the equipment or operations are actually in the EU, and all firms involved in the clinical research study are bound to comply with the Regulation with regards to this person’s data.

Next steps for pharmaceutical companies
The easiest way to ensure that you are protecting all of the data appropriately in each of these scenarios is to apply GDPR requirements uniformly across all data collected and processed. Do this globally, regardless of the location of the study or firms involved in clinical research efforts.

Pharmaceutical and biotech firms can also work with internal and external IT, auditing, and compliance experts to holistically discuss any and all steps to comply with the Regulation. This group may assess, review and finalize all procedures, perform a gap analysis, and develop templates and procedures, among other things.

Europe has historically been on the forefront of privacy protection for its citizens. Once GDPR is officially in place, it will be eye-opening to see where non-compliance issues exist and the extent to which they are found. As an industry, every company with a stake in pharmaceuticals should explicitly follow GDPR for every study, every time.

by Barbara Rusin

About the author
Barbara A. Rusin is Regulatory Compliance Manager at MMS, providing technical oversight and direction to a global regulatory team, spread across four continents. Prior to MMS, Barbara was a Bioresearch Monitoring Investigator with the Food and Drug Administration’s (FDA) Detroit office. Connect with Barbara on LinkedIn here.

Suggested For You

perspectives

January 29th, 2024

FDA Draft Guidance on Demonstrating Substantial Evidence Shines a Light on Confirmatory Evidence in Clinical Trials

perspectives

January 10th, 2024

Change Management and Preparing for Computerized System Audits is Critical to Ensure Positive Regulatory Inspections

perspectives

January 4th, 2024

Computer System Validation Needs Greater Attention When Preparing for an FDA Inspection

perspectives

November 30th, 2023

Good Laboratory Practice (GLP): A Validation Approach

perspectives

November 23rd, 2023

Meet These Four Expectations When Shifting SOPs in the Pharmaceutical Industry into Electronic Format

perspectives

November 21st, 2023

Quality in Clinical Trials Should be Owned by All Departments: Here’s Why

perspectives

October 31st, 2023

Computerised Systems and Electronic Data in Clinical Trials: New Guidelines and How to Reduce Risk

perspectives

October 19th, 2023

Corrective Action and Preventive Action (CAPA) Adoption for Massive Internal Improvements

perspectives

June 12th, 2023

The Role of Quality Assurance in Outsourcing: Ensuring Regulatory Compliance and Quality

perspectives

May 15th, 2023

Impact of ICH E6(R3) on the Future of Clinical Trials: What You Need to Know

perspectives

May 10th, 2023

Preparing for a GxP Audit Interview: Tips and Considerations for Auditors and Auditees

perspectives

April 14th, 2023

A Comprehensive Guide to Preparing for a Successful Good Laboratory Practice (GLP) Inspection