The General Data Protection Regulation (GDPR) entered into force in May 2018, regulating how companies have to go about collecting and processing personal data to ensure they are being used fairly and properly. All companies active in the EU must comply with GDPR rules, which majorly impact companies in the life sciences business. As the European Data Protection Board (EDPB) clarified in its Opinion 3/2019, the GDPR is complementary with the newly enacted European Clinical Trials Regulation (CTR), and with both applying simultaneously, they make for a very precise level of protection in the sector.
Because this new regulation is a lot to digest, in this article we will discuss some compliance elements for non-EU life sciences companies conducting clinical trials in the EU, thus processing personal data from EU data subjects. Specifically, we will focus on the roles of the GDPR Representative and the Data Protection Officer.
Does the GDPR apply to my company’s activities?
1. First, you have to determine whether your company falls within the scope of the GDPR, or not. The GDPR applies to your organization if it pertains to one of the following categories:
- You are a company established* in the EU;
- You are a non-EU company offering goods or services to people who are in the EU;
- You are a non-EU company monitoring EU data subject behaviors within the European Union.
In the context of clinical trials, non-EU-based life-sciences companies may monitor the behavior of EU data subjects when conducting clinical trials in the EU, which requires them to comply with the GDPR.
Note that, even if you do not fall into the previously mentioned categories, you may be required to comply with GDPR principles as part of the partnerships you have with other stakeholders. For example, if one of your subcontractors is subject to the GDPR, it is more than likely they will require a contractual commitment from you to also comply with GDPR. As clinical trials often make for very specific situations (joint controllerships, contracts with CROs, …), we strongly suggest you seek advice from a data protection specialist such as CRANIUM, who can provide you with a case-by-case detailed solution.
2. As a next step, you have to determine which personal data your organization is processing. Reminder: personal data is “any information that relates to an identified or identifiable living individual” (art. 4(1) GDPR). As most companies within the life sciences industry, including biotech, pharma, CROs and suppliers, are processing patient data, such as health and genetic data, which are considered by the GDPR as highly sensitive, it is very likely your company meets this criterion too.
Mandatory compliance: the GDPR Representative & DPO roles
So, if your company conducts clinical trials in the EU and processes data of EU individuals, the GDPR rules apply to your business.
As fines for non-compliance with GDPR can amount to €20 million or 4% of your company’s total worldwide annual turnover, the importance of complying seems clear. To do so, various steps need to be taken:
- Identifying the legal basis to process personal data;
- Mapping your data processing activities;
- Updating privacy notices to GDPR requirement level;
As a non-EU based company, you should also appoint a GDPR Representative, and may have to appoint a Data Protection Officer too.
Under Article 27 of the GDPR, “where Article 3(2) applies (non-EU based companies subject to GDPR because they are conducting business within the EU or collecting data from people within the EU), the controller or the processor shall designate in writing a Representative in the Union.”
The GDPR Representative is a legal entity based in one of the EU Member States where your data subjects are located. The entity acts on behalf of your company with regard to your GDPR obligations and will be the point of contact for EU data subjects requests – in this case, patients and staff involved in EU-based clinical trials – and for cooperating with supervisory data protection authorities.
Appointing an EU-based GDPR Representative is an essential step to comply with your obligations under Article 27 of the GDPR and will facilitate your company’s access to the European market.
If you want to know more about the GDPR Representative’s role, you can visit this web page.
Data Protection Officer (DPO)
In addition to the mandatory appointment of a GDPR Representative, and regardless of whether you are a processor or a controller, you will need to appoint a DPO if your organization’s core activities involve the processing of sensitive data on a large scale – which is the case when conducting clinical trials – or involve the large-scale, regular and systematic monitoring of individuals.
The main goal of the DPO is to ensure that your organization processes personal data in accordance with applicable data protection laws. This includes informing all stakeholders of their obligations and rights under data protection laws, giving advice and recommendations on the processing activities involving personal data, compiling a register of those activities, handling requests from data subjects, conducting awareness-raising training within the company, etcetera. As one can understand, the DPO is a key actor in GDPR compliance.
And, bear in mind that the GDPR Representative and the DPO cannot be the same person.
Choose an expert partner
Conclusion? The road to GDPR compliance is a challenging one. That’s why the assistance of an expert partner is strongly recommended. At CRANIUM, we can support your organization in this matter by acting as your GDPR Representative or Data Protection Officer (DPO). If you would like to get more information on what you need to do as a life sciences company operating within the EU, do not hesitate to contact us, as we will be pleased to support and advise you in implementing a secure data protection policy.
*Note that under the GDPR, “establishment” is to be considered as a broad term, referring, among other things, to a corporate affiliate, a branch office, or the presence of a single representative. Besides, there is no requirement for this establishment to be a formal legal entity.