The General Data Protection Regulation (GDPR) entered into force on 25 May 2018 and, in the absence of any transition period, companies are now expected to be in full compliance with the new requirements. However, with key guidance from regulators only recently released or still in progress, and national implementing legislation enacted at the eleventh hour, developing a GDPR-compliant approach to consent in the context of clinical trials remains an ongoing project. This post reviews the guidance available to date.
The General Data Protection Regulation (GDPR) (EU) 2016/679 comes into force on 25 May 2018. It is a substantial change to the EU’s data protection regime, and non-compliance may lead to heavy fines. On the eve of implementation, Arnold & Porter’s Future Pharma Forum invites you to a roundtable discussion on how life will differ under the new legislation, and key issues that in-house lawyers should be aware of.
- A refresher on the GDPR, what it covers and how it applies to life sciences companies
- An overview of latest guidance and developments in the run up to implementation
- Discussion of current hot topics / open questions for the life sciences sector
The new General Data Protection Regulation 2016/679/EU (GDPR), which will apply throughout the EU from 25 May 2018, has strengthened the protection of individuals’ personal data. Data subjects have new rights to help ensure their data are processed securely and with adequate protections (such as the right to erasure of personal data—the “right to be forgotten”—and to data portability), and there are clearer responsibilities and obligations placed on companies using such data (such as the need to appoint a data protection officer and to carry out a data protection impact assessment). Penalties are also substantial: national regulators will have the power to impose fines of up to €20 million or four percent annual global turnover, whichever is the higher.
How these strengthened rights fit with other sector-specific legislation where large quantities of data are collected and processed, such as clinical trials, is currently unclear. Added to this, there are no transitional rules governing how data currently held and being collected will be dealt with once the GDPR becomes applicable. Our recent article discusses some of the implications for clinical trials, focusing on the changes that affect the collection of data from data subjects, and their rights under the GDPR. It is clear that all organisations should consider their processes in light of the GDPR, and understand the remit of their compliance responsibilities, particularly for trials and data processing that have already started.