{"id":239,"date":"2019-12-20T17:28:17","date_gmt":"2019-12-20T17:28:17","guid":{"rendered":"https:\/\/www.socra.org\/blog\/?p=239"},"modified":"2020-01-30T18:40:12","modified_gmt":"2020-01-30T18:40:12","slug":"an-overview-of-the-general-data-protection-regulation-gdpr-for-clinical-research-organizations","status":"publish","type":"post","link":"https:\/\/www.socra.org\/blog\/an-overview-of-the-general-data-protection-regulation-gdpr-for-clinical-research-organizations\/","title":{"rendered":"An Overview of the General Data Protection Regulation (\u201cGDPR\u201d) for Clinical Research Organizations"},"content":{"rendered":"\n

James F. Bush, Esq. [1]<\/strong><\/a><\/strong>
<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Abstract<\/strong><\/h2>\n\n\n\n

In\n2018, the European Union\u2019s General Data Protection Regulation (\u201cGDPR\u201d) came\ninto full force and effect. With the growth of international multi-center\nclinical research studies, U.S.-based research organizations and investigators\nwill now be governed by the GDPR to the extent that they control or process\nPersonal Data of EU citizens in the course of their research. While efforts to\nattain compliance with HIPAA and HITECH within the U.S. provide clinical\nresearchers a head-start in attaining compliance with the GDPR, substantial\nadditional efforts must be undertaken to avoid the risk of enforcement\npenalties for failure to meet the mandates of the GDPR in conducting clinical\nresearch. A basic understanding of the important rights granted to study\nsubjects, the jurisdictional reach of the law, logistical and organizational\nconsiderations, and the possible risks of enforcement action is now an\nessential competency for those engaging in clinical research involving EU\ncitizens. The goal of this paper is to provide a regulatory overview of the law\nand its effect on clinical research in order to enhance the competency of\ninvestigators, project managers, and decision-makers involved in such clinical\nresearch. <\/p>\n\n\n\n\n\n\n\n

Introduction<\/strong><\/h2>\n\n\n\n

The\nway that clinical researchers handle study subjects\u2019 data within the European\nUnion will never be the same because on May 25, 2018, the General Data\nProtection Regulation (\u201cGDPR\u201d) came into full force and effect, overhauling the\nway Personal Data is handled not only within the EU, but globally. The GDPR\nbuilds on existing European data privacy law not only by standardizing and\nstrengthening the data rights of 511 million EU citizens, but by extending\nenforcement of these rights to any organization that processes or controls EU\ncitizens\u2019 data, with very limited exception. The EU first adopted the new data\nprivacy regime in April 2016, and while penalties for non-compliance can be\nsevere, The Economist<\/em> estimates that\n60% of covered organizations are \u201cnot ready\u201d to attain compliance with the\nGDPR.[1]<\/a>\nWhile research organizations that currently take measures to comply with the\nHealth Insurance Portability and Accountability Act (\u201cHIPAA\u201d) and Health\nInformation Technology for Economic and Clinical Health (HITECH) Act may have a\nsubstantial head-start in GDPR compliance efforts, the GDPR provides a more\nrobust framework of autonomy for study subjects and unique requirements for\ncontrollers and processors of that data. For researchers conducting studies\nwithin the EU, an understanding of the major requirements of the GDPR and how\nit varies from HIPAA and HITECH is now a critical competency.
<\/p>\n\n\n\n

Scope,\nGoals, and Comparison<\/strong><\/h2>\n\n\n\n

The major goals of the GDPR are threefold: 1) enhanced protection of EU citizens\u2019 data, 2) harmonization of EU data privacy laws, and 3) expanded and more stringent enforcement. Covered \u201cPersonal Data\u201d encompasses any information collected that could directly or indirectly identify an EU citizen including, but not limited to, names, photographs, e-mail addresses, banking information, social networking posts, health and genetic information, and IP addresses. Notably, health information pertaining to diagnosis, treatment, and genetics is deemed to be an especially sensitive form of data requiring more stringent safeguards. Jurisdictionally, the GDPR will extend the reach of the EU\u2019s revamped data laws to all foreign organizations that \u201coffer goods or services to, or monitor the behavior of, EU data subjects,\u201d regardless of whether the company or the data in question physically reside within the EU. Additionally, non-EU organizations engaging in \u201clarge-scale\u201d processing of subject data may be required to appoint a compliance representative within the EU. Foreign organizations, like their European counterparts, face the same penalties for non-compliance with the GDPR\u2019s mandates.<\/p>\n\n\n\n

Subject\nAutonomy: Right of Access, Erasure, and Portability<\/strong><\/h2>\n\n\n\n

Three\ndata subject autonomy rights set out in the GDPR will have the most significant\nimpact on researchers handling of EU citizens\u2019 personal data: the rights of\naccess, erasure, and portability. Additionally, organizational and logistical privacy\nmeasures will be required by default, where appropriate, in the collection,\nstorage, use, and dissemination of data.<\/p>\n\n\n\n

First,\nright of access provisions allow\ndata subjects to require a data controller to provide confirmation that\npersonal data is being processed, where it is being processed, and for what\npurpose. Upon request by a data subject, a data controller is required to\nprovide a copy of data to the subject free of charge in an electronic format. <\/p>\n\n\n\n

Additionally,\nthe right to be forgotten (termed\n\u201cdata erasure\u201d within the GDPR) allows a data subject to require a data controller\nto permanently delete and cease further dissemination of the subject\u2019s personal\ndata. The subject may further require the controller to instruct third parties\nto cease processing the subject\u2019s data. In addition to developing policies and\nprocedures to ensure compliance with first-party subject deletion requests, research\norganizations will need enforceable and robust business associate agreements\nthat provide a right for the organization to mandate third-party destruction\nand ensure compliance. <\/p>\n\n\n\n

Further,\nthe GDPR also requires data portability\nfor subjects, i.e., the ability for a subject to take data from one data\ncontroller to another in a \u201ccommonly used machine readable format.\u201d In\nconjunction with the right to be forgotten, subjects should theoretically be\nable to move all their data from one provider to another as if it were a piece\nof physical property.<\/p>\n\n\n\n

Facilitating\ndata subjects\u2019 rights of access, erasure, and portability will present\nsignificant, but manageable logistical and policy considerations for researchers.\nCovered organizations will need to develop the means to ensure sufficient\nresponses to subjects\u2019 data requests. For many organizations, response will be\nfacilitated through appointment of a local representative within the EU. <\/p>\n\n\n\n

Privacy\nby Design\/Default<\/strong><\/h2>\n\n\n\n

In\naddition to the rights of access, portability, and erasure, meaningful privacy\noptions must now be provided by data controllers to subjects through default technical\nand organizational measures. Controllers must limit their retention and\nprocessing of subject data to only the extent \u201cabsolutely necessary\u201d to\ncomplete their duties\u2014a concept familiar to those who handle HIPAA-protected\nhealth information. Access to data within the organization must also be limited\nto an \u201cas-needed\u201d basis. On the technical side, research organizations will\nneed to audit data gathering processes and products to identify what types of\ndata are being gathered and the privacy measures in place. Database encryption should\nbe evaluated as an important back-end technical component of ensuring privacy\nby default. HTTPS protocols should be implemented at all Web-level interactions\nwith data subjects, e.g., Web-based study forms and questionnaires. On the\norganizational side, an audit of policies and procedures and of external\nbusiness associate agreements will be required to identify appropriate\ncompliance with ensuring subjects\u2019 privacy. <\/p>\n\n\n\n

Consent<\/strong><\/h2>\n\n\n\n

Research\norganizations that wish to obtain, control, and process personal data of EU\ncitizens must obtain clear and unambiguous consent to do so from subjects. Consent\nmust now be obtained in a context not obscured by a volume of information or\nfine print. Subjects must be able to withdraw consent to the processing of data\njust as easily as it is given. Explicit \u201copt-in\u201d consent must be required for\nobtaining and processing of health or genetic information. Any dissemination of\nPersonal Data to third parties must also be consented to by study subjects. As\na part of the consent process, opt-in consent will be required for data\ntransfer of health and genetic information outside of the EU to the US. Consents\nmust clearly set out subjects\u2019 privacy rights and how the organization ensures\ncompliance with those rights.<\/p>\n\n\n\n

Data\nBreaches<\/strong><\/h2>\n\n\n\n

Under\nthe GDPR, a data \u201cbreach\u201d is defined as an \u201caccidental or unlawful destruction,\nloss, alteration, unauthorized disclosure of, or access to, personal data\ntransmitted, stored, or otherwise processed.\u201d Where a breach is identified, a\ncovered organization must notify an EU member state\u2019s supervising authority\nwithin 72 hours of first notice of the breach. The GDPR will require mandatory\nnotification of data breaches to the data subject \u201cwithout undue delay\u201d where a\nbreach is likely to result in \u201crisk for the rights and freedoms of\nindividuals.\u201d Inadvertent disclosure of genetic or health information is very\nlikely to meet this standard. <\/p>\n\n\n\n

Given\nthe frequency and magnitude of data breaches affecting companies in the U.S.,\ninadvertent data breaches likely present the greatest source of future\npenalties and litigation under the GDPR. Other than HIPAA, the current legal\nlandscape in the U.S. pertaining to data breaches consists of a 50-state\npatchwork of varying state laws and regulations. Despite recent efforts to pass\nand implement data breach legislation and a comparable \u201cData Privacy Bill of\nRights,\u201d U.S. Congressional efforts have proved unsuccessful. As data breach\ninsurance has become increasingly available in the U.S., research\norganizations\u2019 evaluation of such products should include whether coverage\nincludes enforcement penalties under the GDPR.<\/p>\n\n\n\n

Enforcement<\/strong><\/h2>\n\n\n\n

While a single set of rules now govern all EU member states, member states are required to establish their own independent supervisory authorities (SA\u2019s) to adjudicate complaints and administrative actions. If a covered organization commits a serious breach of the GDPR\u2019s mandates\u2014such as a violation of core privacy practices or rules pertaining to study subject consent\u2014maximum fines can be as high as the greater of 4% of annual global revenue or \u20ac20 million (approximately $25 million USD, $31 million CDN). Maximum penalties are expected to be rare and reserved for the most serious breach of regulation. A system of graduated penalties exists for less serious infractions.<\/p>\n\n\n\n

Conclusion<\/strong><\/h2>\n\n\n\n

The\nimpact of the GDPR on the handling of Personal Data of study subjects within\nthe EU is significant. For organizations within the U.S., the most meaningful\ncomparison that can be drawn to the GDPR is with HIPAA. Thus, clinical research\norganizations may be the best positioned to become leaders in GDPR compliance\nwithin the U.S. However, implementation of substantial but attainable changes\nin organizational policies, processes, and safeguards is still required. Ultimately,\nthe GDPR will likely represent the framework from which U.S. lawmakers look for\nfuture legislation. For example, the California Consumer Privacy Act of 2018\nwill become effective in 2020, and it grants California citizens similar rights\nof access, copying, and deletion, as does the GDPR. <\/p>\n\n\n\n

This paper is for general\ninformation purposes and is not meant, by itself, to create an attorney-client\nrelationship or constitute legal, accounting, or other professional advice.<\/em><\/strong><\/p>\n\n\n\n

\n\n\n\n

[1]<\/a> https:\/\/www.economist.com\/business\/2018\/04\/05\/europes-tough-new-data-protection-law<\/p>\n\n\n\n

\n\n\n\n

[1]<\/a>\nJames F. Bush is an Attorney with Dell Salter, P.A. in Gainesville, Florida\npracticing within the areas of civil litigation, health law, and data law. <\/p>\n","protected":false},"excerpt":{"rendered":"

James F. Bush, Esq. [1] Abstract In 2018, the European Union\u2019s General Data Protection Regulation (\u201cGDPR\u201d) came into full force and effect. With the growth of international multi-center clinical research studies, U.S.-based research organizations and investigators will now be governed by the GDPR to the extent that they control or process Personal Data of EU … <\/p>\n

Continue reading An Overview of the General Data Protection Regulation (\u201cGDPR\u201d) for Clinical Research Organizations<\/span> →<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0},"categories":[61],"tags":[62],"yoast_head":"\nOverview: General Data Protection Regulation (GDPR) Clinical Research<\/title>\n<meta name=\"description\" content=\"The goal of this paper is to provide a regulatory overview of the law and its effect on clinical research in order to enhance the competency of investigators, project managers, and decision-makers involved in such clinical research.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.socra.org\/blog\/an-overview-of-the-general-data-protection-regulation-gdpr-for-clinical-research-organizations\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Overview: General Data Protection Regulation (GDPR) Clinical Research\" \/>\n<meta property=\"og:description\" content=\"The goal of this paper is to provide a regulatory overview of the law and its effect on clinical research in order to enhance the competency of investigators, project managers, and decision-makers involved in such clinical research.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.socra.org\/blog\/an-overview-of-the-general-data-protection-regulation-gdpr-for-clinical-research-organizations\/\" \/>\n<meta property=\"og:site_name\" content=\"SOCRA Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/SoCRA.org\" \/>\n<meta property=\"article:published_time\" content=\"2019-12-20T17:28:17+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2020-01-30T18:40:12+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.socra.org\/blog\/wp-content\/uploads\/2019\/12\/gdpr-compliance-1024x580-1024x580.png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@socranow\" \/>\n<meta name=\"twitter:site\" content=\"@socranow\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\">\n\t<meta name=\"twitter:data1\" content=\"9 minutes\">\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.socra.org\/blog\/#website\",\"url\":\"https:\/\/www.socra.org\/blog\/\",\"name\":\"SOCRA Blog\",\"description\":\"Educational Content Supporting Clinical Research Excellence\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":\"https:\/\/www.socra.org\/blog\/?s={search_term_string}\",\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.socra.org\/blog\/an-overview-of-the-general-data-protection-regulation-gdpr-for-clinical-research-organizations\/#primaryimage\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/www.socra.org\/blog\/wp-content\/uploads\/2019\/12\/gdpr-compliance-1024x580-1024x580.png\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.socra.org\/blog\/an-overview-of-the-general-data-protection-regulation-gdpr-for-clinical-research-organizations\/#webpage\",\"url\":\"https:\/\/www.socra.org\/blog\/an-overview-of-the-general-data-protection-regulation-gdpr-for-clinical-research-organizations\/\",\"name\":\"Overview: General Data Protection Regulation (GDPR) Clinical Research\",\"isPartOf\":{\"@id\":\"https:\/\/www.socra.org\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.socra.org\/blog\/an-overview-of-the-general-data-protection-regulation-gdpr-for-clinical-research-organizations\/#primaryimage\"},\"datePublished\":\"2019-12-20T17:28:17+00:00\",\"dateModified\":\"2020-01-30T18:40:12+00:00\",\"author\":{\"@id\":\"https:\/\/www.socra.org\/blog\/#\/schema\/person\/54fcc368d0177213a922b9fc813212dd\"},\"description\":\"The goal of this paper is to provide a regulatory overview of the law and its effect on clinical research in order to enhance the competency of investigators, project managers, and decision-makers involved in such clinical research.\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.socra.org\/blog\/an-overview-of-the-general-data-protection-regulation-gdpr-for-clinical-research-organizations\/\"]}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.socra.org\/blog\/#\/schema\/person\/54fcc368d0177213a922b9fc813212dd\",\"name\":\"SOCRA\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.socra.org\/blog\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/f79e358717b94d833d65e6d6c2e5d07e?s=96&d=mm&r=g\",\"caption\":\"SOCRA\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","_links":{"self":[{"href":"https:\/\/www.socra.org\/blog\/wp-json\/wp\/v2\/posts\/239"}],"collection":[{"href":"https:\/\/www.socra.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.socra.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.socra.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.socra.org\/blog\/wp-json\/wp\/v2\/comments?post=239"}],"version-history":[{"count":2,"href":"https:\/\/www.socra.org\/blog\/wp-json\/wp\/v2\/posts\/239\/revisions"}],"predecessor-version":[{"id":246,"href":"https:\/\/www.socra.org\/blog\/wp-json\/wp\/v2\/posts\/239\/revisions\/246"}],"wp:attachment":[{"href":"https:\/\/www.socra.org\/blog\/wp-json\/wp\/v2\/media?parent=239"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.socra.org\/blog\/wp-json\/wp\/v2\/categories?post=239"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.socra.org\/blog\/wp-json\/wp\/v2\/tags?post=239"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}