The newest version of one of the trickiest privacy laws, the European Union’s General Data Protection Regulation (the GDPR) was enacted and made effective on May 25, 2018. Leading up to this deadline, many in the industry proceeded to go through the five common stages of grief from denial to acceptance:
- Denial: “It is not real” said may executives until:
- They saw a 22% increase in violations in Q4* from the UK alone.
- They realized that they could be held accountable.
- They noticed that the size of the penalty was going to be impactful to their bottom line.
- Anger: “Can they do that?” We can consider this as lash back of the industry’s indiscretions from the 1990’s – A time when we thought we owned the data.
- Bargaining: Well it actually worked in that there are two caveats for research and law enforcement – more on these later.
- Depression: Perhaps this is why many started their frantic conversion in Q4 2017 and not any sooner.
- Acceptance: Implementations range from partly to fully incomplete across the industry. Many addressed it on the marketing side and not the clinical side.
Even though many companies spent Q4 2017 and Q1 2018 preparing for and implementing their GDPR policies and cleaning up databases, only now are individuals seriously taking steps to protect their rights.
The precursor to the GDPR known as the Right to be Forgotten was ruled in by the EU court back in 2014 and since then Google, for example, received over 2.4 million requests for removal of personal information, and as of February, 2018 had only complied with less than half of those requests. Read more here. Immediately after GDPR became effective both Google and Facebook were hit with lawsuits. Three days later, lawsuit totals climbed to $8.8B. Read more here.
First an overview of GDPR
Effective May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) implemented a number of changes to privacy law in the European Economic Area (EEA). There are certain situations in which GDPR may affect the research-related activities of U.S.-based entities, including companies, academic medical centers (AMCs), universities, and other research organizations.
GDPR compliance will be especially relevant to Institutional Review Boards (IRBs) and Ethics Committees (ECs), charged withensuring the ethical conduct of research, one dimension of which is respect for the privacy of subjects and the confidentiality of data. GDPR superseded the prior EU Data Protection Directive, which was adopted in 1995. See EU Data Privacy Directive (the Directive).
The Directive and GDPR apply in the 28 EU member states and 3 additional countries (Iceland, Liechtenstein and Norway) that together make up the EEA – The United Kingdom is preparing for GDPR implementation despite Brexit. As a regulation under EU law, the GDPR will apply directly across all of the EEA’s member states, unlike the Directive, which supplied general principles that required implementation in the national legislation of each member state.
What does it mean for Research
There are some personal exceptions to the GDPR including personal data like racial or ethnic origin, data concerning health, data concerning a natural person’s sex life or sexual orientation, genetic data, biometric data used for the purpose of uniquely identifying an individual, political opinions, religious or philosophical beliefs, or trade union membership. Additional exceptions for organizations include, exercising the right of freedom of expression, compliance with legal obligations that require processing by union or member state law, reasons of public interest in the area of public health, scientific or historical research purposes if erasure is likely to render impossible or seriously impair the achievement of the research and the establishment, exercise or defense of legal claims.
While allowances for law enforcement and research is a respite for the clinical trials industry, there are complications. The nuanced surfaces in cases where a request for erasure is received after an informed consent has been signed. In other words, can an individual permanently give up a right that they did not have at the time of informed consent signing? If the consent form does not specifically cite that right and its waiver – then what happens? What if we go back and ask for a revised consent to cover that and now the patient refuses. This is a puzzle for the IRBs and legal experts to discuss, but as an executive who is ultimately responsible for honoring GDPR laws, we should err on the side of being conservative.
So it pays to be prepared to remove all references to a patient from all our databases. According to the PAREXEL Bio/Pharma Source book, on average a typical CRO uses 32 to 40 different systems during clinical trial conduct. This means that there will be traces of a patient’s information in some 30 or so different databases. Some will be housed within the CRO’s servers and the rest will be somewhere in the cloud housed at various vendor proprietary databases.
Preparing your systems and planning
In order to prepare systems and identifying the fields that contain private data, organizations must take into account “all the means reasonably likely to be used, either by the controller or by another person, to identify the natural person directly or indirectly.
Of course many of the systems used in clinical data collection and management were not equipped to track such data at the granularity required by GDPR. So the data architects are now faced with the daunting task of matching every record from every system or they can use an intelligent interoperability middleware.
Interoperability platform to the rescue
Employing an intelligent middleware or an interoperability platform that is tailored to clinical data management has many advantages:
- Relationship between data from disparate systems is stored within the interoperability platform without cluttering the EDC, CTMS, EMR, SAFETY, etc systems
- Since the interoperability platform is privy to every transaction it can track source and destinations of each data field
- It can maintain a record of PHI, PCI or any personally identifiable information that may be within scope of GDPR
Armed with all the above, a well designed and implemented interoperability platform is ideal for “threading the needle” through all the disparate systems within an enterprise to find and remove an individual’s sensitive information.
About the Adaptive eClinical Bus
The award-winning Adaptive eClinical Bus software includes “connectors” for many leading clinical trial software tools from well-known vendors such as Omnicomm, Medidata, BioClinica, and Clinical Conductor to open source clinical trial tools such as OpenClinica and Clinovo. Connectors can also leverage internally-developed and proprietary systems and help customers retain their competitive edge. Adaptive Clinical’s eClinical Bus® can easily integrate technology into an interoperable, efficient, and accurate clinical trials system that streamlines processes and improves data reliability and offers the freedom to choose the best eClinical tools of any third-party or proprietary systems while enjoying all the benefits of a fully integrated system. For more information, go to adaptive-clinical.com, email [email protected] or call 856-452-0864.
For a demonstration of how the Adaptive eClinical Bus can help you comply with the right to be forgotten: Click Here For Demonstration
Sina Adibi is the CEO of Adaptive Clinical Systems and a veteran of Pharma and Health IT industry.
About Adaptive Clinical Systems
Adaptive Clinical Systems offers a unique, simple, secure, validated, compliant, and cost-effective innovative solution for clinical data integration and interoperability. The cloud-based innovative Adaptive eClinical Bus® solution integrates clinical study data from multiple systems and platforms — EDC, eCOA, CTMS, Medical Imaging, IRT, analytical/data visualization systems and others — to ensure accurate and efficient transfer of clinical data for any study of any complexity while going well beyond simple and difficult to scale integration to full, real-time interoperability.