Considering the recent Regulation (EU) 2016/579 (GDPR) on the protection of natural persons with regarding the processing of personal data and on the free movement of such data, many companies, within or outside the European Union, are challenged to implement specific data protection requirements in their own businesses and day to day activity.

A lot of questions have arisen: is it necessary to implement a guiding legislation within each country? Can it be applied as per se? Is it applicable only in the EU or also outside of it? Does this Regulation impact the business in order to transform it? Which fines will be applicable in case of non-compliance?

a). although Eu regulations have general application, it is a must for each country to adopt a specific national law – as a guideline for implementation

GDPR is applicable across the EU, being a legal act of the European Union that becomes immediately enforceable in all member states simultaneously.

However, together with its entering in force, countries may need to validate or upgrade laws establishing their privacy regulators. Without new laws, companies may be uncertain about the compliance and enforcement risks they face in individual EU countries. For example, in Spain, privacy is granted by the Constitution, therefore, in order for GDPR be fully applicable, it is necessary to modify the organic law itself.

These major discrepancies are the reason all EU countries would need a national law in order for their national privacy office to enforce the GDPR.

b). the GDPR primarily affects organizations operating within the EU, but its effect spreads beyond EU borders

GDPR significantly expands the territorial scope of the EU data protection laws to any international organization dealing with EU businesses, or the personal data of subjects in the EU, so GDPR consequently has to be adopted by all countries, in order to enhance business if are connected with EU market space.

Even if your business does not have an European presence, if you are dealing with EU businesses and the personal data of subjects in the EU, you should assess your business, data collection and processing activities within the scope of the GDPR.

If your business is an international one, and especially if you have a strong internet presence, it may be better to assume that some of your customers/users may be data subjects in the EU.

c) regarding the fines

Even if it is regulated that fines can reach out to the higher of 20 million euros ($24.5 million) or 4 percent of a company’s global revenue, for the most serious privacy breaches, the breach categories still need to be detailed in national legislation. In order to determine if fines will be applicable, it is important to analyze the local legislation itself.

d) implementing a new IT system

Although GDPR refers to storage, a proper IT system should ensure also access rights, tracking system, and has to be personalized to domain and country based.

Clinical trials – impact of the GDPR

Regarding clinical trials, if the Sponsor and clinical trial site are both considered to be data co-holders, the contract research organization and the investigator act as data processors. The difference between the roles is quite significative. As a processor you hold the obligation to comply with GDPR requirements and can only use the data for the purpose it was supplied, obtain written permission from the controller before employing a subcontractor, make sure the data is properly stored and protected, and all 3^rd vendors comply with the GDPR requirements.

As a co-holder, beyond what was mentioned above, we note the obligation to operate a suitable IT system regarding tracking compliance to privacy, control data transfer within the EU and cross-border and effective data storage ensuring data protection throughout the entire life cycle, from collection by the sites as source data to reporting, archival and destruction.

In all cases, EU and National Ethic Committees stipulate that specific information must be provided where genetic data will be processed. By genetic data in clinical trials, we refer to all samples taken from the subjects or patients in order to characterize their genetic profile and to use this information to correlate sub-populations of patients responding to the treatment on a specific genetic profile. In this case, all the data processors must ensure the transparency principles are met and maintain the data subjects informed as per the GDPR requirements.

Even if in clinical trial reports the patient is not identified by his or her full name, but rather by his or her initials, and the disclosure of clinical trials result may be given only after patient data anonymization, some personal information still needs to be processed, even if not disclosed. The information can be national specific based on the local ethic committees’ provisions.

With respect to processing patient data, the patients should be informed about the scope of data processing, explained their rights of modification, rectification, erasure, etc. as regulated by Chapter III of the GDPR, in order to obtain their clear consent of processing their data while assuring transparency and data controlling principles.

A clear consent should be expressly collected in case the Sponsor, the data subject or other vendors involved in clinical trials are outside the EEA Region (European Economic Area Region) and the transfer of personal data is necessary in order to comply with the scope of the clinical study.

For clinical research projects not based on informed consent (for example, observational studies), the Sponsor must apply the appropriate safeguards according to the level of risks incurred by the data subjects, which may imply data de-identification.

As far as data storage is concerned, a proper IT system should be used or developed in order to enhance tracking. It has to include access rights control, data encryption means, redundant storage media and proper servers meant to ensure availability and continuity of service, a backup strategy for rapid recovery in case of any physical or technical incident, a constant monitoring of production servers, penetration testing and vulnerability scan, etc.

When it comes to patient reimbursement for clinical trials participation cost, regulation 563/2016 accepts the reimbursement of travel costs and accommodation in accordance with the national legislation. These operations can be done by 3^rd party vendors or clinical institutions. The type of informed consent needed is regulated at national level, corroborated with EU regulations 563/2014 and 579/2016. In some cases, different types of consent must be previously approved by local ethic committees, in others, just by Sponsors, who must warrant legality and compliance of all privacy provisions.

If we have raised your interest, and you’ve realized that your business needs a much deeper reflection on GDPR and its national and domain implications, you may contact us at contact@ctafocus.com.