Adjusting To GDPR, One Year Later
June 20, 2019 | When the European Union's General Data Protection Regulation (GDPR) went into effect in May 2018, it had significant impacts on clinical trials and pharma operations in Europe. Handling personal data with increased transparency added cost and staffing needs in addition to new technical requirements.
But a year out from the regulation's launch, Mariya Pinskaya, Principal Consultant at Areva Consulting, sees a very consistent experience for trial participants, even if study teams are working harder in the background. She has also noticed a very collaborative spirit between regulators and those implementing the new requirements. "The sites understood why this was necessary—for their patients and themselves," she said.
On behalf of Clinical Informatics News, Kaitlin Kelleher spoke with Pinskaya about GDPR adjustments in the past year, and what is needed moving forward.
Editor’s note: Kaitlin Kelleher, a Conference Producer at Cambridge Healthtech Institute, is planning a track dedicated to Budgeting, Resource Management, And Outsourcing For Clinical Trials at the upcoming SCOPE Europe (Summit for Clinical Ops Executives) in Barcelona, September 18-21. Pinskaya will be speaking on the program.
Clinical Research News: What has been the biggest impact to clinical trials now that GDPR is in effect?
Mariya Pinskaya: GDPR became the adopted regulation in May of 2018, so a bit over a year now. The idea is that GDPR, which was in negotiation for about four years by various European Union committees, strengthened the rights of individuals to be better informed about their data and the use of their data and the transfer, the portability of their data. It sets out much clearer responsibilities and obligations on healthcare professionals and data users, companies who use the data in the aggregate or in other forms.
The idea behind GDPR was transparency. Some of it was security and accountability, but mostly it was transparency to those whose data is being gathered. It places a lot of obligations on the data controllers, so it's quite a hefty regulation. And in that sense, it has a large impact on the cost of clinical trials to the sponsor companies that are running these trials. Now clinical trial providers must clearly identify data that are being processed and where it's going, who's processing the data, what it's used for and make sure that everything is secure and stored properly in accordance with the regulations, so many of these are new obligations that are defined by GDPR.
The informed consent responsibility is nothing new. Sponsors are used to obtaining proper consent, but under GDPR, this is now a more stringent requirement. It has to be very clear, intelligible, easy, accessible, easily withdrawn—that's a big one—and a include the notion that withdrawal doesn't necessarily give the person the right to withdraw data from the data pool. It's only new data going forward. So it's almost like giving the consent requirement a new life. It provides a lot of logistics on how any data is collected and processed. So it's great for patients. It's great for subjects, those located in the European Union and location is primary, so if a US citizen travels into the European Union, let's say with a data monitor, that data is subject to GDPR requirements.
So for the patients, they don't really feel any difference, right? They get the same form, albeit one that is clearer and now has a few additional paragraphs clearly explaining what will happen to their data after they consent. But for the clinical providers and data companies, these new regulations are quite hefty.
What operational changes are necessary to keep in line with GDPR? How are legal and operations teams working together on this?
So first and foremost, when the regulations came down, I think every company that's processing data and users—whether they're primary users or secondary users, either collectors of data, or users of data—they were scrambling to figure out what exactly does this mean? GDPR has a lot of definitions, and it's done a fairly good job defining the scope of what is intended to be covered by the regulation. But it also leaves a lot of room for interpretation for compliance. The one big thing that every company had to do was hire a data protection officer, a person who's named within their organization, who's registered with a data protection agency or authority in specified territories. And that person is the interface between the organizations and the company and is involved in case of any data breaches. That was probably the biggest hurdle in addition to implementing systems that are regulated in such a way that securely safeguards the data that are gathered.
The critical parts of GDPR are the concepts of anonymity and pseudonymization and those two have different requirements. One is how to de-anonymize the data so that it cannot be traced to one particular person. The other concept—pseudonymization—is defined as the processing of personal data in such a way that it also can't be attributed to a data subject without the use of additional information. So it's almost like a second level [of security] and that's also considered personal data. So now these terms are distinguished in trial protocols and the definition of personal data is broaden. To become and stay compliant with all of the agreements with vendors have to be updated and many, many of the clinical study agreements as well.
You already mentioned that the goal of GDPR is transparency in the use of data and we were just talking a little bit about the privacy. Can you speak to how pharma companies, CROs, hospitals and other stakeholders have responded to the regulations?
When the European Union put out these regulations, there was a lot of guidance. These regs were four years in the making, so this wasn't a haphazard thing, and data privacy is something that in this day and age is taken very seriously because our lives are so digitally connected. This was a recognition on the part of regulators to say, look, this is something we're putting out there which can have lasting implications in terms of healthcare, in terms of data use and data mining, in for example genome research, and we really need to make sure that we inform people and properly safeguard it.
The regulators didn’t put out this regulation to make it more difficult for companies to operate in the European Union, it was to embrace privacy and they just did this in such a matter that allows companies to work towards the deadline. No fines were issued if you missed the deadline but demonstrated a good faith effort to implement compliance measures. I think the regulators were very open to making sure that if companies have questions or compliance problems, they were able to seek advice. This was a collaborative effort. The sites understood why this was necessary—for their patients and themselves. GDPR extends to primary investigators and their data, to study coordinators and his or her data gathered on the regulatory documents. All of those things are covered by GDPR. So everyone, I think, understood that it is necessary to have true consent for use of personal data, and safeguards were needed to ensure that it's not only during a clinical trial, where we're potentially dealing with the most vulnerable population, that those safeguards are met.
How do you see GDPR affecting future trials? Meaning how is this regulation going to shape how we plan for, conduct, and monitor clinical trials?
I think probably the most interesting area where this is going to play out is digital clinical trials—specifically monitoring at home. A patient is given a device and he or she is able to monitor their progress without going to a clinical site. And that's done through an iPad or some type of a device that transmits information. That's a very useful tool, but obviously the potential for breach and risk is much greater once you leave the secure confines of a clinical site where IT-wise and technology-wise, the systems are very well set up.
I hope that the GDPR requirements are not going to inhibit that type of progress because we are moving toward artificial intelligence and digitalization of clinical trials and that has huge potential to reach underserved areas, areas where there is no access to traditional suites of doctors. There are patients that that could benefit from investigational medications that are simply unreachable. It will be interesting to see how it plays out in an artificial intelligence and, remote clinical trial space.
Once companies determine what is a true requirement and what is a recommendation and how they, within their business model, can function and be compliant, the regulation is fluid enough to give companies the ability to comply and protect patient data at the same time.
If you could give pharma companies one parting piece of advice or statement in regard to GDPR, what would it be?
Similar to HIPAA in the United States, these regulations did not arise out of nowhere. They come out of a legitimate concern, likely in this case from the populace of European Union states. I think it's necessary to embrace regulation of this kind and work with regulators to ensure that it doesn't stall progress, but at the same time set up a system for proper use of data and protection of data derived from the most vulnerable population. My suggestion would be to embrace regulation and work with the regulators to ensure that it's proper and not overreaching.