GDPR: What Life Science organisations need to do to comply

Since GDPR became a thing on May 25th 2018, organisations need to be prepared to comply with a whole new set of data protection regulations, or face fines of up to 4% of your worldwide annual revenue.

The regulation is set to disrupt businesses across the world, and provide a big data privacy boost for consumers, by tightening privacy legislation and implementing a consistent approach.

So what does that mean for the Life Sciences industry?

There are some components to GDPR that need to be addressed:

• Subject access requests Under the new regulations, the time frame for dealing with subject access requests (where an individual requests a copy of their data) is 30 days. Additionally, individuals will now have the right to have their data provided in a readable format. For example, it is not enough to provide a link to a system- it has to be accessible in a format everyone can access (e.g Word or Excel).Your organisation will need to halve the timeframe usually reserved for subject access requests, and ensure that any data sent is communicated in an accessible, easy-to-read format.
• Transfer of data If data is sent outside of the borders, Pharma companies need to demonstrate that controls and oversight are in place and the data is protected.A Data Transfer Agreement (DTA) is likely to be the best way to do this. In any case, companies need to inform data subjects that their data is being sent outside the borders.
• Rewriting of Consent notices Consent notices may need to be rewritten to comply with the new regulations to inform individuals where their data will be sent, how long it will be kept for and what rights individuals have for that data.Under the new rules, consent must be freely given, informed and unambiguous. The data subject must fully understand how their data will be used and have specifically agreed to this. The consent cannot be labelled as an “agreement to all processing”, it must specify what the processing will consist of. Consent has to be verifiable, and in practice, this means if  your organisation is asked, you must be able to prove consent was given to you. The individual must also be informed of their right to withdraw their consent at any time. Additionally, where consent is required for children’s data, the notice must be written so that the child can understand it.
• Pseudonomised and anonymised data Under GDPR, pseudonomised data is still considered personal data as long as additional information which could be used to identify the data subject is kept. For instance, a list of coded names linked to real names would still be considered personal data.On the other hand, anonymised data – where there is no linked data and absolutely no way of identifying the individual – is considered out of scope. Trial protocols should specify which of these will apply.
• Accountability Companies must now be able to demonstrate compliance. It is not enough just to say “we are compliant”. If the ICO asks, you must be able to provide evidence such as procedures, training, data mapping and consent forms.Pharma Companies are likely to need to appoint a Data Protection Officer (DPO) who will be accountable for ensuring compliance with  GDPR.For some companies, the appointment of a DPO is mandatory under the legislation, and that individual must have appropriate knowledge and qualifications. This is applicable to your business if your core activities consist of processing operations which require regular and systematic processing of data subjects on a large scale.
• Joint ControllersArticle 26 of the GDPR sets out the responsibilities and liabilities of parties as “joint controllers”.It is imperative that both the sponsoring company understand the remit of their obligations and the potential for overlap in their respective roles, as the line between a sponsor’s responsibilities and those of the CRO can often be blurred.
• The right to be forgotten Under GDPR, all individuals have a right to request the deletion of their data or require an organisation to stop processing it. There is an exemption for data that is held for scientific research, but for that exemption to apply, your organisation would have to be able to demonstrate that the continued processing of a set of data is essential to a particular trial. Under Article 17 of the GDPR, a trial participant can at any time request that all of their data be removed “without undue delay”.This requirement on the sponsor as data controller would require the identification and deletion of any data, whether stored by the sponsor, CRO, hospital or any other third party. The right to be “forgotten” cannot be waived in the consent form.
• Oversight of suppliers Under the new legislation companies who cannot demonstrate due diligence and monitoring of their suppliers are likely to be fined.Any breaches caused by the data processor where a controller cannot demonstrate adequate oversight will result in the fine being split between the processor and controller. It is therefore essential that Pharmaceutical organisations monitor their suppliers closely and conduct data protection due diligence.

Tackling these requirements is a lengthy but essential process. With business’s global revenue and individual accountability at stake, Life Sciences organisations have to ensure they’re fully prepared.