James F. Bush, Esq. 
In 2018, the European Union’s General Data Protection Regulation (“GDPR”) came into full force and effect. With the growth of international multi-center clinical research studies, U.S.-based research organizations and investigators will now be governed by the GDPR to the extent that they control or process Personal Data of EU citizens in the course of their research. While efforts to attain compliance with HIPAA and HITECH within the U.S. provide clinical researchers a head-start in attaining compliance with the GDPR, substantial additional efforts must be undertaken to avoid the risk of enforcement penalties for failure to meet the mandates of the GDPR in conducting clinical research. A basic understanding of the important rights granted to study subjects, the jurisdictional reach of the law, logistical and organizational considerations, and the possible risks of enforcement action is now an essential competency for those engaging in clinical research involving EU citizens. The goal of this paper is to provide a regulatory overview of the law and its effect on clinical research in order to enhance the competency of investigators, project managers, and decision-makers involved in such clinical research.
way that clinical researchers handle study subjects’ data within the European
Union will never be the same because on May 25, 2018, the General Data
Protection Regulation (“GDPR”) came into full force and effect, overhauling the
way Personal Data is handled not only within the EU, but globally. The GDPR
builds on existing European data privacy law not only by standardizing and
strengthening the data rights of 511 million EU citizens, but by extending
enforcement of these rights to any organization that processes or controls EU
citizens’ data, with very limited exception. The EU first adopted the new data
privacy regime in April 2016, and while penalties for non-compliance can be
severe, The Economist estimates that
60% of covered organizations are “not ready” to attain compliance with the
While research organizations that currently take measures to comply with the
Health Insurance Portability and Accountability Act (“HIPAA”) and Health
Information Technology for Economic and Clinical Health (HITECH) Act may have a
substantial head-start in GDPR compliance efforts, the GDPR provides a more
robust framework of autonomy for study subjects and unique requirements for
controllers and processors of that data. For researchers conducting studies
within the EU, an understanding of the major requirements of the GDPR and how
it varies from HIPAA and HITECH is now a critical competency.
Scope, Goals, and Comparison
The major goals of the GDPR are threefold: 1) enhanced protection of EU citizens’ data, 2) harmonization of EU data privacy laws, and 3) expanded and more stringent enforcement. Covered “Personal Data” encompasses any information collected that could directly or indirectly identify an EU citizen including, but not limited to, names, photographs, e-mail addresses, banking information, social networking posts, health and genetic information, and IP addresses. Notably, health information pertaining to diagnosis, treatment, and genetics is deemed to be an especially sensitive form of data requiring more stringent safeguards. Jurisdictionally, the GDPR will extend the reach of the EU’s revamped data laws to all foreign organizations that “offer goods or services to, or monitor the behavior of, EU data subjects,” regardless of whether the company or the data in question physically reside within the EU. Additionally, non-EU organizations engaging in “large-scale” processing of subject data may be required to appoint a compliance representative within the EU. Foreign organizations, like their European counterparts, face the same penalties for non-compliance with the GDPR’s mandates.
Subject Autonomy: Right of Access, Erasure, and Portability
Three data subject autonomy rights set out in the GDPR will have the most significant impact on researchers handling of EU citizens’ personal data: the rights of access, erasure, and portability. Additionally, organizational and logistical privacy measures will be required by default, where appropriate, in the collection, storage, use, and dissemination of data.
First, right of access provisions allow data subjects to require a data controller to provide confirmation that personal data is being processed, where it is being processed, and for what purpose. Upon request by a data subject, a data controller is required to provide a copy of data to the subject free of charge in an electronic format.
Additionally, the right to be forgotten (termed “data erasure” within the GDPR) allows a data subject to require a data controller to permanently delete and cease further dissemination of the subject’s personal data. The subject may further require the controller to instruct third parties to cease processing the subject’s data. In addition to developing policies and procedures to ensure compliance with first-party subject deletion requests, research organizations will need enforceable and robust business associate agreements that provide a right for the organization to mandate third-party destruction and ensure compliance.
Further, the GDPR also requires data portability for subjects, i.e., the ability for a subject to take data from one data controller to another in a “commonly used machine readable format.” In conjunction with the right to be forgotten, subjects should theoretically be able to move all their data from one provider to another as if it were a piece of physical property.
Facilitating data subjects’ rights of access, erasure, and portability will present significant, but manageable logistical and policy considerations for researchers. Covered organizations will need to develop the means to ensure sufficient responses to subjects’ data requests. For many organizations, response will be facilitated through appointment of a local representative within the EU.
Privacy by Design/Default
In addition to the rights of access, portability, and erasure, meaningful privacy options must now be provided by data controllers to subjects through default technical and organizational measures. Controllers must limit their retention and processing of subject data to only the extent “absolutely necessary” to complete their duties—a concept familiar to those who handle HIPAA-protected health information. Access to data within the organization must also be limited to an “as-needed” basis. On the technical side, research organizations will need to audit data gathering processes and products to identify what types of data are being gathered and the privacy measures in place. Database encryption should be evaluated as an important back-end technical component of ensuring privacy by default. HTTPS protocols should be implemented at all Web-level interactions with data subjects, e.g., Web-based study forms and questionnaires. On the organizational side, an audit of policies and procedures and of external business associate agreements will be required to identify appropriate compliance with ensuring subjects’ privacy.
Research organizations that wish to obtain, control, and process personal data of EU citizens must obtain clear and unambiguous consent to do so from subjects. Consent must now be obtained in a context not obscured by a volume of information or fine print. Subjects must be able to withdraw consent to the processing of data just as easily as it is given. Explicit “opt-in” consent must be required for obtaining and processing of health or genetic information. Any dissemination of Personal Data to third parties must also be consented to by study subjects. As a part of the consent process, opt-in consent will be required for data transfer of health and genetic information outside of the EU to the US. Consents must clearly set out subjects’ privacy rights and how the organization ensures compliance with those rights.
Under the GDPR, a data “breach” is defined as an “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.” Where a breach is identified, a covered organization must notify an EU member state’s supervising authority within 72 hours of first notice of the breach. The GDPR will require mandatory notification of data breaches to the data subject “without undue delay” where a breach is likely to result in “risk for the rights and freedoms of individuals.” Inadvertent disclosure of genetic or health information is very likely to meet this standard.
Given the frequency and magnitude of data breaches affecting companies in the U.S., inadvertent data breaches likely present the greatest source of future penalties and litigation under the GDPR. Other than HIPAA, the current legal landscape in the U.S. pertaining to data breaches consists of a 50-state patchwork of varying state laws and regulations. Despite recent efforts to pass and implement data breach legislation and a comparable “Data Privacy Bill of Rights,” U.S. Congressional efforts have proved unsuccessful. As data breach insurance has become increasingly available in the U.S., research organizations’ evaluation of such products should include whether coverage includes enforcement penalties under the GDPR.
While a single set of rules now govern all EU member states, member states are required to establish their own independent supervisory authorities (SA’s) to adjudicate complaints and administrative actions. If a covered organization commits a serious breach of the GDPR’s mandates—such as a violation of core privacy practices or rules pertaining to study subject consent—maximum fines can be as high as the greater of 4% of annual global revenue or €20 million (approximately $25 million USD, $31 million CDN). Maximum penalties are expected to be rare and reserved for the most serious breach of regulation. A system of graduated penalties exists for less serious infractions.
The impact of the GDPR on the handling of Personal Data of study subjects within the EU is significant. For organizations within the U.S., the most meaningful comparison that can be drawn to the GDPR is with HIPAA. Thus, clinical research organizations may be the best positioned to become leaders in GDPR compliance within the U.S. However, implementation of substantial but attainable changes in organizational policies, processes, and safeguards is still required. Ultimately, the GDPR will likely represent the framework from which U.S. lawmakers look for future legislation. For example, the California Consumer Privacy Act of 2018 will become effective in 2020, and it grants California citizens similar rights of access, copying, and deletion, as does the GDPR.
This paper is for general information purposes and is not meant, by itself, to create an attorney-client relationship or constitute legal, accounting, or other professional advice.
 James F. Bush is an Attorney with Dell Salter, P.A. in Gainesville, Florida practicing within the areas of civil litigation, health law, and data law.