Ringing in the New Year? Don't Drop the Ball on GDPR Compliance

January 5, 2018 Alerts and Newsletters

Download a print-friendly PDF of this Client Alert here.

Many U.S. institutions and biopharma and device companies that are engaged in international research studies may soon be subject to a new foreign privacy law, the European Union ("EU") General Data Protection Regulation or Regulation 2016/679 ("GDPR"), which takes effect on May 25, 2018. If your institution or company engages in EU research and has not yet made plans to address compliance with the GDPR, the time to act is now, as May will be here before we know it.

As a reminder, the GDPR will replace the EU's current privacy framework, Directive 95/46/EC, more commonly known as the Data Protection Directive ("Directive"). The Directive has been implemented in various different ways by the EU member states, which has led to fractured and inconsistent data protection requirements across the EU (and, more broadly, the European Economic Area1). The GDPR will significantly harmonize data protection regulation across the EU. It will also strengthen protections for personal data and increase the penalties for noncompliance. Specifically, noncompliance may lead to administrative fines of up to 20,000,000 EUR, or in the case of an entity (referred to as an "undertaking" under the GDPR), up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

The increased penalties are certainly a reason to pay attention to the GDPR even if your organization does not have a plan for compliance with the Directive. However, there are two other changes effected in the GDPR that are particularly important for U.S. institutions and companies involved in EU research studies.

First, the GDPR's reach outside of the EU to organizations in the U.S. and elsewhere will be broader than that of the Directive. The Directive, as implemented by EU member states, generally applies to U.S. institutions and companies involved in research studies in the EU but not established there (e.g., not having an office or subsidiary there) only if the U.S. institutions and companies function as "controllers" under the Directive and, for purposes of processing personal data, make use of equipment in the EU (such as collecting data through computers located in an EU member state). In contrast, the GDPR will apply to the processing of personal data of EU data subjects by either a controller or a processor not established in the EU when the processing activities are related to (a) the offering of goods or services to data subjects in the EU or (b) the monitoring of the behavior of data subjects in the EU. A U.S. institution or company that is taking the position that it is not subject to the Directive in the context of its EU research activities because it does not make use of equipment in the EU may have a difficult time making a similar argument under the GDPR given the GDPR's expanded application to organizations outside of the EU. Either of the new criteria triggering application of the GDPR to non-EU organizations could be said to apply to most research.

Second, the definition of "personal data" under the GDPR is arguably broader than under the Directive. The Directive defines "personal data" in relevant part as "any information relating to an identified or identifiable natural person." "Identifiable person" is in turn defined as a person "who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person." Although this definition of personal data under the Directive is fairly broad,2 EU member states do not all interpret it in the same manner, such as with respect to key-coded data (i.e., data that has been stripped of all identifiers other than a code that can be used to relink the data to identifiable information). In particular, key-coded research data held by U.S. institutions and companies are not always "personal data" under all EU member states' data protection laws implementing the Directive.

However, the GDPR introduces the concept of pseudonymisation, which refers generally to the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information. Importantly, the GDPR is clear that pseudonymised data that could be attributed to a person by the use of additional information are considered a type of personal data and within the scope of the GDPR. Key-coded research data would likely be considered to be pseudonymised data under the GDPR and therefore subject to the GDPR. U.S. institutions and companies that have taken the position that the Directive does not apply to their research activities because they receive only key-coded research data may no longer be able to use this argument once the GDPR takes effect.3

Given these and other significant changes that are included in the GDPR, U.S. institutions and companies should analyze their involvement in research studies in the EU to determine whether the GDPR will apply to the processing of data in the context of the studies and, by extension, to the U.S. institution or company. If the GDPR will apply, steps should be taken before May 25, 2018 to address compliance, such as the following, as applicable:

  • Identify activities for which the organization is functioning as a controller or a processor of personal data within the meaning of the GDPR,
  • Determine the basis under the GDPR that permits the processing of an individual's personal data and the transfer of his/her personal data out of the EU into the U.S.,
  • Update research consent forms to include specific information required by the GDPR,
  • Revise data protection and breach reporting policies and procedures for compliance with the GDPR,
  • Amend contracts with vendors or others that process personal data on the organization's behalf if the processing is subject to the GDPR,
  • Ensure that contracts with other parties sponsoring or conducting the research (e.g., sponsor, research sites) reflect each party's role in controlling or processing personal data and appropriately allocate data protection responsibilities, within the parameters of the GDPR,
  • Determine whether a representative must be designated in the EU and if so, enter into an appropriate arrangement with such a representative, and
  • Designate a data protection officer, to the extent required by the GDPR.

Verrill Dana's Academic and Clinical Research Group and Biopharma and Medical Device Group work with institutions and companies conducting research in the EU. We can help your organization identify activities that may trigger the GDPR and help create a plan to prioritize your compliance efforts to ensure your institution or company doesn't drop the ball on GDPR compliance. For more information, contact Andrew Rusczek, Emily Fogler, or your regular Verrill Dana attorney.

1The European Economic Area ("EEA") consists of the 28 EU member states as well as Iceland, Liechtenstein, and Norway. The Directive applies directly to the 28 EU member states. The Directive also applies to Iceland, Liechtenstein, and Norway because, as of October 27, 2017, it has been incorporated into the Agreement on the European Economic Area ("EEA Agreement") through Annex XI. The GDPR has not yet been incorporated into the EEA Agreement, but steps have been taken to start the process of incorporation.

2Not only is the definition of "personal data" fairly broad as drafted under the Directive, but it has also been interpreted broadly by the main EU data protection advisory body, the Article 29 Data Protection Working Party. See, for example, the Article 29 Data Protection Working Party's guidance document, Opinion 4/2007 on the Concept of Personal Data (June 20, 2007).

3Of course, even under the Directive, U.S. institutions and companies that receive access to only key-coded research data could still be directly or indirectly subject to the Directive, such as if the data originates in an EU member state that treats key-coded data as "personal data" or if the U.S. institution or company acts as the controller and, for purposes of processing personal data, makes use of equipment in the EU.

___________________________________________________________________
This communication is intended for general information purposes and as a service to clients and friends of Verrill Dana, LLP. This publication, which may be considered advertising under the ethical rules of certain jurisdictions, should not be construed as legal advice or a legal opinion on any specific facts or circumstances, nor does it create attorney-client privilege.

Firm Highlights

Publication/Podcast

FDA Issues Guidance on IRB Review of Non-Emergency Individual Patient Expanded Access Requests for Investigational Drugs and Biological Products to Treat COVID-19

Prompted by a substantial increase in requests for individual patient access to investigational drugs and biologics to treat COVID-19, the U.S. Food & Drug Administration (“FDA”) issued guidance on June 2, 2020 that outlines...

Publication/Podcast

Responsible Research During the COVID-19 Pandemic

Publication/Podcast

COVID-19 Expanded Access Template

We are aware that many companies and health care providers are working to expedite the transfer of investigational drugs that may be helpful in treating patients suffering from COVID-19. Although these expanded access arrangements...

Matter

Common Rule

Guided multiple clients through the implementation of the revised HHS regulations (the "Common Rule"), including reviewing and revising policies and procedures, and assisting with institutional approaches to implementation.

Publication/Podcast

News Flash: HHS Issues Statement Removing Premarket Review Requirements for Laboratory Developed Tests (“LDTs”), Including COVID-19 LDTs

What happened? On August 19, 2020, the U.S. Department of Health and Human Services (“HHS”) issued a single paragraph statement rescinding U.S. Food and Drug Administration (“FDA”) guidance documents concerning premarket review of Laboratory...

Matter

Conflicts of Interest

Reviewed medical center's systems, policies and procedures for identifying, assessing, and managing investigator and institutional conflicts of interest.

Matter

European Union GDPR—Institution

Counseled a preeminent health system and academic medical center on its compliance with the European Union General Data Protection Regulation (GDPR) in relation to its clinical and research activities, including its international research studies...

Matter

Multi-Site Global Research

Developed and negotiated site and coordinating center agreements in connection with a multi-site, international, National Institutes of Health (NIH)-funded study, and advised on regulatory issues related to the conduct of the study and subsequent...

Matter

Research Non-Compliance Investigations

Test Tubes
Publication/Podcast

FDA Announces New Updates to its Guidance on Conducting Clinical Trials During COVID-19 and Notes Availability of its COVID MyStudies App

On June 3, 2020, the U.S. Food & Drug Administration (“FDA”) again updated its guidance on the “ Conduct of Clinical Trials of Medical Products during COVID-19 Public Health Emergency ” with new information...