The GDPR deadline has passed, yet many life sciences companies are still unsure if they’re in compliance. It's generated a lot of questions, especially from our smaller to mid-sized biopharma members who may not have as many resources dedicated to this. Ahead of our July 31st forum on GDPR, our Director of Communications, Jennifer Nason, sat down with Kendalle Burlin O’Connell, Vice President of Member Services and General Counsel, to answer some commonly asked questions.
Jennifer: Take a step back – what exactly is GDPR?
Kendalle: GDPR stands for General Data Protection Regulation, which became the primary law for regulating how companies protect European Union citizens’ personal data on May 25, 2018, replacing the Data Protection Directive of 1995. While the earlier law only applied to organizations physically based in one or more EU states, the new law goes even farther, affecting any organization, regardless of whether they have an EU presence, that controls, processes or monitors data on EU residents. GDPR is, in effect, raising the bar globally for how companies must protect user data, and will undoubtedly impact companies across the globe.
Jennifer: What kind of data does this apply to?
Kendalle: The definition for what constitutes personal data is extremely broad, as GDPR applies to “any information relating to an identified or identifiable natural person,” and includes common information like name, address, email, location data, IP address and Social Security numbers. However, it also applies to data a person creates or writes, such as social media posts or photos, or data that may be used to classify someone, like race, health, sexual orientation and even religious beliefs. And then there’s pseudonymised personal data, which means the data has been replaced by artificial identifiers or pseudonyms and can’t be attributed to a specific data subject without more information. GDPR encourages this, as it’s a way to help protect people’s data, but it is still considered personal data, and therefore falls under the regulations. Key-coded clinical trial data often falls in this bucket. Genetic, biometric and health data are specifically called out as sensitive personal data for which more stringent requirements apply.
Jennifer: Can you share some common ways this would impact a U.S. biopharma company?
Kendalle: The most obvious way this would impact a U.S. biopharma company is if it has an office or physical presence in the EU, or is undergoing clinical trials in the EU, or even has an approved drug in the EU, and therefore manages EU personal data or targets EU residents in relation to the offering of goods or services. But those biopharma companies that do not have a physical presence or sales in the EU are also at risk, since pretty much all biopharmas that are in human trials or have an approved product on the market deal with patient data. With regard to clinical trials, you may have conducted a trial in the EU years ago, but still house or monitor that data in the U.S.
Then there’s the prevalence of real-world evidence, which is becoming an important part of the drug development and approval process. Real-world evidence is being used to supplement clinical trial data in instances where trial participants may not be fully representative of the overall patient population, and to find new indications for an approved drug, identify new side effects and refine dosing. Data knows no borders, and as more information sharing across companies, industries and even countries increases, so will the risk of non-compliance with GDPR.
Jennifer: What steps should companies take to ensure compliance?
Kendalle: First, you should get a sense for what kind of personal data you deal with and where it comes from. That applies to any marketing, customer or patient data you collect or plan to collect, regardless of where your company resides. Ask yourself if you know exactly where this data comes from, and how you’re currently sharing or protecting it. You’ll also want to review your company’s privacy notices and ensure they’re up to date and in compliance with any applicable privacy laws. Although it can seem daunting to do such a thorough inventory of all data, it’s a good idea whether or not you ultimately fall within GDPR purview. Before making any major changes, it’s always a good idea to consult a legal expert who’s familiar with the laws, as this stuff is anything but simple. Depending on the size of your company, you may need to comply with various requirements, such as appointing a Data Protection Officer at your company, and/or appointing an EU representative.
To learn more about GDPR compliance, and to have your specific questions answered, please join us for the member forum on July 31st, The Era of GDPR Data Privacy, Two Months In: Do you have a Data Transfer Agreement handy?