The new General Data Protection Regulation 2016/679/EU (GDPR), which will apply throughout the EU from 25 May 2018, has strengthened the protection of individuals’ personal data. Data subjects have new rights to help ensure their data are processed securely and with adequate protections (such as the right to erasure of personal data—the “right to be forgotten”—and to data portability), and there are clearer responsibilities and obligations placed on companies using such data (such as the need to appoint a data protection officer and to carry out a data protection impact assessment). Penalties are also substantial: national regulators will have the power to impose fines of up to €20 million or four percent annual global turnover, whichever is the higher.
How these strengthened rights fit with other sector-specific legislation where large quantities of data are collected and processed, such as clinical trials, is currently unclear. Added to this, there are no transitional rules governing how data currently held and being collected will be dealt with once the GDPR becomes applicable. Our recent article discusses some of the implications for clinical trials, focusing on the changes that affect the collection of data from data subjects, and their rights under the GDPR. It is clear that all organisations should consider their processes in light of the GDPR, and understand the remit of their compliance responsibilities, particularly for trials and data processing that have already started.