GDPR – one year on
2 April 2019
PCMG Chairs: Olena Goloborodko and Pia Sauer Larsen
Location: Crowne Plaza Copenhagen Towers Hotel, Copenhagen, Denmark
General Data Protection Regulations were enshrined into European Law within Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. The implementation date was 25 May 2018 in the EU and 6 July 2018 in the remaining EEA states.
The goals of GDPR are:
- To ensure protection of the fundamental privacy rights
- To update the privacy laws (previous directive issued more than 20 years ago)
- To unify the 28 disparate privacy laws of the EU member states
In case of breach, a transgression would lead to fines of up to €20m or up to 4% of the total worldwide annual turnover in the preceding financial year, whichever is higher.
This workshop examined the implementation of GDPR one year on; how well has it been introduced within the pharmaceutical product development arena, what are the challenges and what does the future hold?
Olena Goloborodko of PCMG and Celgene, the co-chair, introduced the workshop with a comment on the complexity of data flows during a modern, outsourced clinical trial. She described the roles of data controller and data processor, but highlighted the challenges of deciding who does what, particularly between sponsor and site, in the case where there are multiple service providers and sub-contracts and with real world studies.
Jeppe Guilford Manuel of Novo Nordisk discussed the sponsor (data controller) perspective on GDPR and how to achieve compliance. He emphasised that GDPR compliance was difficult to define at present and that it was open to interpretation. Different approaches are driven by different appreciations of risk. The Novo Nordisk model was driven by their own internal risk assessment, which identified 10 key areas that were impacted by GDPR (see slide below).
Jeppe argued that companies should achieve “privacy by design”, proactively designing their processes and systems to achieve privacy from the start, rather than reacting to risks and breaches and potential breaches as they occur. The role of the Data Protection Officer is key in driving a risk averse culture and to implement various control and security measures to ensure GDPR compliance. Sub-contracting is a particular challenge and companies would benefit from a comprehensive risk assessment and compliance plan for each outsourced clinical trial. Sponsors should document their compliance with GDPR in their Risk Management Plan and in a Data Processing Agreement with their suppliers.
Uwe Fiedler, Chief Privacy Officer at Parexel, discussed GDPR from the CRO perspective.
Uwe works with many Pharmaceutical sponsor, as well as leading Parexel’s internal implementation of GDPR. As with the comments from the previous speaker, Uwe observed that there is no consistency in how GDPR compliance is being applied across the industry. I addition he stressed that there were ongoing refinements of legal opinion and definitions around GDPR law and that there needed to be global, consistent agreements and/or consensus on the implementation of GDPR. Yet the law is still evolving, for example with the Euro Data Protection Board and their opinion published March 2019 concerning the legal grounds for the collection of clinical trial data, which will be enshrined in European law in 2012/2022. Issues such as the legal understanding of anonymised and the meaning and relevance of pseudonymisation are currently “hot topics” in the legal world of GDPR implementation.
Uwe argued that clinical trial data are “personal data” (legal term) for investigators, but are no longer personal data when passed to sponsors or CROs of sponsors in key-coded form. Since all data passed to sponsors is in key-coded form, then his view is that there is no legal requirement to require informed consent from trial subjects to include GDPR clauses.
Regarding sponsor obligations, GDPR article 35 (1) states that sponsor companies (data controllers) “…shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (in cases where there is high risk to the right and freedoms of trial subject”. This resonated strongly with the need for Privacy by Design expressed previously by Jeppe Guilford Manuel.
Regarding data anonymization, the European Union Agency for Network and Information Security (ENISA) recently published two GDPR compliance-related guidelines to clarify that both encryption and pseudonymization are appropriate security- and privacy-enhancing technologies and that their use reduces the risk of compromise to data protection.
Uwe also addressed the definitions of data controller, joint-controller and processor, the implications of GDPR for RFI and RFP exercises, the contractual clauses to be considered when incorporating GDPR into outsourcing agreements and investigator site agreements, the challenge of data protection when working with sub-contractors and niche service providers and the reporting timelines in case of breach (“is 30 minutes practical?”). . . He provided some excellent, practical statements including the contents of the Data Processing Agreement (see slide below), but cautioned that some GDPR clauses could be interpreted as being contradictory.
Contents of a Data Processing Agreement (Article 28 (3) of the GDPR legislation)
- the subject-matter of the processing,
- the duration of the processing,
- the nature and purpose of the processing,
- the type of personal data
- the categories of data subjects and
- the obligations and rights of the controller
Uwe recommended that a GDPR code of conduct is required across the industry to establish consistency. And he recommended that every data controller should have a Data Protection Impact Assessment (DPIA).
What became clear is that the legislation is new and has yet to mature and there is inconsistency across Europe with governments and august legal organisations differing in their interpretation of the legislation and their guidance on compliance. As a result this is an evolving area of law with a broad and diverse range of opinions on what is required to achieve compliance, both amongst the sponsor community and the CROs and other service providers. It was felt that this diversification would continue “for a few years” until test cases would lead to judicial opinion and therefore to legal precedent that would guide the interpretation and implementation of the law. Such legal precedent will help to standardise the legal requirements, harmonise the solutions and help to provide a consistent model for GDPR compliance that the industry can implement in a consistent way.
Two very interesting comments during questioning were:
- Uwe felt the risk of a successful prosecution against a pharmaceutical sponsor was very low (in the order of 0.001%) as the industry as a whole is highly sensitive to the need for confidentiality, as enshrined within GCP.
- The greater risk was more likely through inappropriate release of employee personal data than patient personal and sensitive data
Sabine Hansen, Lead Outsourcing Manager and Attorney at Law, Lundbeck.
Sabine Hansen described the ways in which a mid-sized pharmaceutical company had implemented GDPR within their outsourcing function. The key for Lundbeck was the status of the various parties with regard to the legal definitions of data controller and data processor. A summary of each role is described below:
Lundbeck has two ways in which it sets up clinical trials to define the data controller:
- Centralised set up, where a central “consortium” – usually a steering committee with wide membership – is deemed to be the data controller as they are responsible for defining the study design and have control over the inputs and outcomes. The CRO involvement from a GDPR perspective is merely to manage the contract; they do not deliver any data that has not already been anonymised. In this case the European consortium members are viewed as Data Controllers, despite the fact that they never receive any data which constitutes personal data as defined by GDPR. The Data Controllers decide which studies to perform, the study design and therefore the means and purposes of processing the personal data. In practice a joint data controller agreement has to be signed by all Consortium members and Lundbeck enters into a separate data processing agreement with the CRO for each study, with CRO acting as a Data Processor.
- Decentralised set up, where the sponsor pharmaceutical company constitutes the consortium and are part of a committee. But in contrast to the centralised set up, the committee do not select the studies to be conducted, they do not define the study design and therefore the means and purpose of processing of personal data.
In this case there are no GDPR issues as the Pharmaceutical company is not the Data Controller.
The learning points from the Lundbeck experience were the importance of the Data Controller versus Processor roles in terms of GDPR obligations, the need to select the correct contract to reflect the respective Data Controller/Processor status of all parties and the need to document a justification of the contractual set up in terms of GDPR.
Alejandro Gené, Chief Privacy Counsel, Celgene
Alejandro stated the importance of the legal basis of consent for the use of personal, sensitive data is on the basis of “legitimate interest” for private companies, but on the basis of “public interest” in public health. In either case, the consent should be discussed with the patient in a clear manner as it has an impact on the individuals’ rights, including portability, objection and consent withdrawal.
The respective roles of the parties with regard to Data Controller versus Data Processor needed to be accurately reflected in a contract – who is responsible for what – since article 28 of the GDPR legislation requires that these obligations should be set down in writing.
Alejandro gave an entertaining and informative summary of the different interpretations and implementations of GDPR throughout Europe and demonstrated a very wide diversity. He concluded his presentation with a plea for increased harmonisation in GDPR implementation, with consistency on the roles of Data Processor and Data Controller, consistency on the legal basis of consent and streamlined industry best practice being agreed by the various law makers and shared with pharmaceutical companies.
From a PCMG perspective, it is clear that there currently exists a diverse range of interpretations on the implementation of the legislation. One consistent observation was the legal importance of defining the Data Controller and the Data Processor(s) roles. And for the Data Controller to have a Data Protection Officer who can drive a risk-averse culture and to implement various control and security measures to ensure GDPR compliance.
Sub-contracting is a particular challenge and sponsor companies would benefit from a comprehensive risk assessment and compliance plan for each outsourced clinical trial. Sponsors should document their compliance with GDPR in their Risk Management Plan and in a Data Processing Agreement with their suppliers.
Uwe commented that the risk of pharmaceutical companies being prosecuted for lack of GDPR compliance was extremely low – “less than 0.001%” – in part because of a strong and engrained respect for confidentiality of clinical trial subjects, which is not so robust in other industries. However, he felt there was no cause for complacency and that we must remain vigilant in identifying best practices and rolling them out to the PCMG community.
Finally, Jeppe responded to a question from the floor to state that there were diverse interpretations of GDPR at the moment, but that there would be cases coming to court in future years which would start to clarify the legal interpretations and give Pharma and CRO parties greater clarity on what is expected of them.
The slide presentations from the workshop are available on the PCMG website at pcmg.org.uk