Making Sense of GDPR in Human Trials

The General Data Protection Regulation (GDPR) came into effect on May 25th, 2018. This new framework replaced the European Union (EU) Data Protection Directive (1995). When we talk about personal data, we hear the term GDPR thrown around a lot. In the context of research involving human participants, GDPR becomes crucial, especially when not just names, addresses and phone numbers are stored, but often very sensitive data like disease diagnoses, blood results and genetic information. If you're working in human clinical research with human participants collecting personal information, here's what you need to know.

‍

Where does GDPR apply?

‍

GDPR is enforced in the European Union (EU) including all 27 member states, and, 3 non-EU states (Liechtenstein, Iceland, and Norway) which together comprise the European Economic Area (EEA). This more recently excludes the United Kingdom which departed from the EU in 2020. While enforceability of GDPR lies within these territories (excluding the UK per se), any country operating and working with citizens or participants in the EEA should adhere to GDPR.

‍

However, according to the Information Commissioners Office (ICO) in the UK, GDPR still operates as a regulatory framework in the UK as "UK GDPR" post-Brexit.

‍

"The EU GDPR may still apply to you if you operate in the EEA, offer goods or services to individuals in the EEA, or monitor the behaviour of individuals in the EEA."- ICO, UK

‍

If you're processing any information of an EEA citizen while they are in the EEA, then you will be subject to GDPR. If the subject is from the EEA but is outside of the EEA whilst the data is being processed, this is not subject to GDPR. Similarly, any processing of non-EEA citizens is not subject to GDPR.

‍

‍

What data is subject to GDPR?

‍

Personal data: what is it? This includes any information related to an identified or identifiable natural person, such as names, identification numbers, location data, and online identifiers. While that list still seems slightly vague, if any information can be tracked back to an individual, it is considered personal data. Email addresses and, phone number, for example, can be traced to a person. In fact, many email addresses will contain names of the users themselves.

‍

‍

Clinical Trials and Anonymised Data

‍

As part of good clinical practice (GCP), data should be anonymized where possible. This also includes pseudoanonymization (for example, using initials only). In this instance, the data could not be traced back to an individual and is not subject to GDPR, however, any additionally identifiers which can be used to identify participants as part of an unblinding process come under GDPR.

‍

In addition to this personal data, special categories of personal data need additional considerations. These become particularly pertinent to clinical research in more unique populations of participants. In later phase trials where interventions are tested in large cohorts of people, metadata and subgroups (including ethnic or racial minority groups and individuals who carry certain genetic factors) come into play. These include:

‍

• Racial or ethnic origin
• Physical or mental health data
• Political opinions
• Sex life and sexual orientation
• Religious or philosophical beliefs
• Genetic and biometric data
• Trade union membership

‍

The protected characteristics require consent to collect and must not be processed and linked to an identifiable person unless specific conditions are met. One example could include when it is in the public interest to reveal such data.

‍

‍

Controlling and Processing

‍

The terms data "controlling" and data "processing" often confuse people who are not working regularly with data. Key differentiations are that the controllers are typically organisations, companies, agencies or sponsors who decide "what is" to be collected, and, what will be done with this data. Confusingly, data processors are the individuals responsible for "processing" the data. This can mean numerous things, including collecting the data, storing it, modifying it, validating it and so on. It is possible for any party to act as both controller and processor and any additional company, collaborator, vendor, service or provider who can carry out any processing 'actions' becomes a processor. An example of this might include automated systems which are conducting commands on the controller's behalf.

‍

‍

Non-compliance? What are the penalties?

‍

Whether intentional or not, data might be processed improperly, and in the event of a data breach - especially of non-encrypted data- such data might become publicly available. The type of penalty should be proportionate to the severity of the breach or case of non-compliance. Fines should also be effective and dissuasive. For very severe violations, Article 83(5) GDPR states that the fine framework could be up to 20 million euros, or, 4% of an organisations total global turnover of the preceding fiscal year (whichever happens to be higher).

‍

Personal data can be highly sensitive and protecting participants rights is critical. GDPR is an effective tool to help police good working practices and to prevent widespread unethical misuse of personal data. Is it worth it? The risk to data, personal and participant freedom, financial and reputational damage is enormous and GDPR should not be ignored. Ask yourself if you are up-to-scratch on your practices and always seek legal or regulatory council if you have any doubts. GDPR documentation can be reviewed online here.