GDPR and the life sciences industry
The General Data Protection Regulation (GDPR) is an EU data privacy and security law that seeks to ensure the fair and proper use of people's personal information, by regulating how businesses process personal data. Post-Brexit, the GDPR has been retained in UK law as the UK GDPR[1].
The GDPR may apply to organisations regardless of their geographic location if they process personal data relating to data subjects in the EU, or the UK for the purpose of the UK GDPR. Organisations subject to the GDPR are broadly required to comply with seven overarching principles, which are intended to embody the general spirit of the legislation.
More specifically, the GDPR imposes separate obligations on controllers (those who determine the purposes and means of processing personal data) and processors (those responsible for processing personal data on behalf of a controller). Additionally, the GDPR grants certain rights to data subjects, and organisations must therefore be aware of how they are required to respond to the exercise of such rights.
Organisations should endeavour to comply with the GDPR as fully as possible, as failure to do so can carry a fine of up to £17.5m in the UK and €20m in the EU, or 4% of total worldwide annual turnover, whichever is the greater.
GDPR and the life sciences industry
The GDPR has had a fundamental impact on the life sciences industry. Pharmaceutical and biotechnology organisations frequently make use of personal data and should therefore be aware of their obligations under the GDPR in order to avoid any regulatory “trip wires”. Businesses in the life sciences sector should consider how the GDPR may impact upon:
- Their ability to process data
- Medical research
- Other regulatory obligations
The ability to process personal data
In order to process personal data in compliance with the GDPR organisations must first identify a valid lawful ground. There are six lawful bases for processing set out in the GDPR, and the most appropriate ground will be determined by the specific nature of the processing being carried out. Further, where any “special category” data is being processed (e.g. health or biometric data), organisations need to identify both a lawful basis for general processing and satisfy an additional condition, due to the particularly sensitive nature of special category data.
Medical research
A key area involving significant data processing for life sciences companies is medical research. Organisations involved in this area therefore need to ensure that any processing of personal data complies with the seven principles of the GDPR, namely: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation, integrity and confidentiality (security) and accountability. It should however be noted that certain principles apply more flexibly where scientific research is being carried out, for example data can be stored for longer than would otherwise be permissible under the storage limitation principle, provided that appropriate safeguards are in place.
Life sciences businesses should also be aware that the rights which individuals have under the GDPR may also have implications for medical research. For example, individuals have a right to have their personal data erased in certain circumstances, which could extend to research data. However, the GDPR does provide an exemption from the right of erasure of personal data for scientific research purposes, insofar as the right of erasure is likely to impair or render impossible the achievement of the research objectives.
Other regulatory obligations
Given the highly regulated nature of the life sciences industry, it is common for organisations’ obligations under the GDPR to overlap with their other regulatory obligations. Most commonly, we see overlaps in relation to clinical trials and pharmacovigilance.
Clinical trials
Whereas the GDPR seeks to protect individuals with regard to the processing of personal data, the Clinical Trials Regulations (CTR) aim to greater harmonise the rules for conducting clinical trials throughout the EU. Notwithstanding the data protection provisions set out in the CTR, the European Data Protection Board (EDPB) has confirmed that compliance with the CTR does not justify any derogation from GDPR standards. The EDPB have particularly emphasized that “informed consent” provided under the CTR to participate in a clinical trial is not the same as consent to process personal data under the EU GDPR. Even where giving informed consent under the CTR is possible, an imbalance of power between the participant and the sponsor/investigator may not enable consent to be “freely given”, as required by the GDPR.
Organisations should therefore be careful not to assume that compliance with the CTR will guarantee compliance with the GDPR.
Pharmacovigilance
EU pharmacovigilance legislation requires organisations to report the effects of drugs once they have been licensed for use. The pharmacovigilance legislation provides that it shall apply “without prejudice to” the data protection laws (i.e. the EU GDPR), and therefore the EU GDPR will continue to apply in addition to any pharmacovigilance obligations.
[1] Unless specified otherwise, references in this section to the GDPR encompass both the GDPR and the UK GDPR.