A survey of top corporate data protection challenges has found only 6 percent of companies are prepared to be compliant with the EU’s General Data Protection Regulation (GDPR), which goes into effect on May 25, 2018. The Compliance, Governance, and Oversight Council (CGOC) released the results of the survey, which gathered the results from 132 compliance officers from organizations around the world. Those organizations were across multiple industries.
GDPR is a growing concern for companies in the life sciences industry. A session at DIA’s annual meeting in Chicago in June 2017 brought the issue to the attention of many pharma executives in the audience. Violations of the regulation can result in a penalty of €20 million or 4 percent of worldwide revenue.
Susan Shelby, Sr. VP of clinical operations for clinical research organization Biomedical Systems, told Clinical Leader in June that GDPR “is a critical topic for the pharma industry.” She noted the regulation will have a significant impact on the industry and that companies are not prepared for it, and not enough people are discussing it. Little seems to have changed since then.
Changes Present Challenges
There are three key changes under the regulation. They are:
1. Increased Territorial Scope
GDPR applies to all companies processing the personal data of subjects residing in the EU, regardless of the company’s location. Previously, territorial applicability of the directive was ambiguous and referred to data process “in context of an establishment,” a topic that has arisen in a number of high profile court cases. GDPR makes the applicability clear by noting the rules apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not.
2. Increased Penalties
As noted earlier, organizations in breach of GDPR can be fined up to 4 percent of annual global revenue or €20 million, whichever is greater. This is the maximum fine that can be imposed for the most serious infringements, such as not having sufficient customer consent to process data.
3. Improved Patient Consent
The conditions for consent have been strengthened, and companies will no longer be able to use long, illegible terms and conditions full of legal jargon. Under GDPR, the request for consent must be given in an intelligible and easily accessible form, with the purpose of data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided using clear and plain language. Additionally, GDPR stipulates that it must be as easy to withdraw consent as it is to give it.
Of particular concern to Shelby is the transmission of so called “non-CRF data.” This is the data from EEGs (electroencephalogram), pathology slides, ECGs (electrocardiograms), echocardiography data, imaging data, and specialty laboratory data. These data typically are not directly input into the eCRF, but are sent out for expert analysis. They contain sensitive data necessary to the scientific value of the study. Compliance in these situations will involve hospitals, medical device companies, and software vendors identifying methods. Therefore, simple redaction of data may not always be the correct solution.
Why The Concern?
The CGOC study presents sufficient reason for concern. Of the 132 compliance officers responding to the survey, only six percent felt their organizations are currently compliant with the impending regulation. Most expressed concern over their organization’s poor data disposal practices and ability to demonstrate compliance with the regulation. The news may be surprising to some, considering most organizations have known about the coming changes for the last couple of years. CGOC notes the organizations that have yet to begin a GDPR-readiness program are likely to face an even bigger surprise next year as they scramble through a painful, disruptive, and costly effort to get in compliance.
Other key findings of the report also raise concerns.
For pharma companies and CROs needing to get in compliance, time is running out. Shelby even wonders how companies operating in the EU will continue to conduct clinical trials. She believes GDPR will make it difficult for companies to get the required data and to share it holistically with the researchers who need to interpret it.
Peter Alterman, COO of the SAFE-BioPharma Association, believes there is still a lack of coverage in the pharma industry regarding the regulation, which has also created confusion for the companies that will be impacted. He believes credentials and trusted identity will be one possible solution for companies. “It’s all about a trust information structure that starts with the credential issuer and ends with the application relying on the credentials,” he states.
For now, time is running out. Shelby hopes there will be more discussions by industry think-tanks that will include participation by FDA, EMA, EU, and stakeholders such as sponsors, hardware/software vendors, CROs, and sites.
“Eventually, someone has to explain what’s acceptable and what isn’t,” insists Shelby. “If we do not take that first step, eventually we will have non-attorneys trying to interpret the regulation. Those folks, in an attempt to comply and avoid fines, may institute procedures that are overly strict and impact scientific results. People who will have to live by this regulation need to know what is required. One solution would be to delay the implementation of the regulation for at least a year. There are issues that have to be ironed out, and I see this discussion going on for a long time.”