What is the GDPR and Will it Affect Pharma Companies?

May 30, 2018

The General Data Protection Regulation (GDPR) is a European Union (EU) law that went into effect on May 25, 2018. The law impacts companies that process EU citizens data in any way, including companies not located in the EU. The main goal of the GDPR is to strengthen and unify data protection for all individuals, especially in the face of cybersecurity threats.Pharma companies should be prepared to protect and manage all personal data stored regarding employees, suppliers, clinical trial subjects and consumers. Complying with GDPR reduces the risk of legal action from individuals whose personal data may be breached. Personal data to be secured includes:

  • Data held in consumer/management systems
  • Patient databases
  • Employee HR files such as addresses (including email addresses)
  • Banking/payment card data
  • Birth dates
  • Medical records/medical screening forms
  • Questionnaires
  • Medical consent forms
  • Consumer contact/communications records
  • Supplier personnel data

GDPR Affects Clinical Trials

De-identification and anonymization of clinical data are necessary for data collected via electronic case report forms. De-identification involves removing/redaction or recoding health information that could identify an individual such as patient identifiers, free text verbatim terms or references to dates. Data anonymization involves destroying all links between the de-identified datasets and the original datasets.The transmission of non-case report form data is also of concern under the new law. This includes data that comes from labs as well as imaging and other devices. In this case, sensitive data may be sent out for additional analysis and may require more than just simple redaction.Mandatory data breach reporting is one of the most important GDPR rules impacting the healthcare industry. The law requires that data breaches be reported to a data protection regulator within 72 hours. The individuals affected must also be notified of the breach. The healthcare industry must have clear, practical, and effective implementation procedures in place that can be acted upon immediately in order to meet these requirements.

Items Prohibited Under the GDPR

Both corporations and individuals are no longer allowed to process a person's data to reveal an individual's race or ethnicity or use genetic or biometric data to uniquely identify a person. Additionally, it is illegal to process data concerning someone’s general health, sex life, or sexual orientation.

Consent is Required Under the GDPR

In order for a company to begin processing someone’s personal data, clear consent must be given. In the past, consent was assumed by silence, pre-selected boxes, or inactivity. Now, it must be collected via a separate form outside of other terms and conditions. Within the healthcare industry, the GDPR requires 'explicit' consent. While there is no specific determination between 'consent' and 'explicit consent' within the GDPR documentation, for healthcare purposes, it is likely to require the most obvious and strongest forms of consent such as a checked boxed in agreement or a declaratory statement. Pharmaceutical companies collect a large amount of personal data including subject data from clinical trials. Consent is one of the biggest challenges facing pharma companies. Article 9 of the GDPR requires specific consent for sensitive personal data which includes genetic data, biometric data, and data revealing ethnic origin.Complying with the new EU GDPR law is essential to pharma and healthcare companies. For more details, visit: https://www.eugdpr.org/.