In our last blog, we wrote about the implementation of the GCP ICH directive. This month we would like to bring to your attention another very important piece of legislation whose implementation is also fast approaching; the General Data Protection Regulation herein after called the GDPR. This regulation is an essential step to strengthen citizens’ fundamental rights in the digital age and facilitate business by simplifying rules for companies in the Digital Single Market. The regulation is directly applicable in all EU member states and will become effective on May 25th 2018.
Some key elements of the GDPR include that it will give data subjects more control over their personnel data and introduces new enhanced rights for citizens; namely the need for consent for data processing. It also introduces new responsibilities to organisations that may have to appoint data protection officers where core processing activities require regular and systemic monitoring of individuals on a large scale.
With respect to research the regulation does allow for processing of personnel sensitive data for the purposes of (scientific) research, which in general is welcomed by the scientific community. The GDPR also exempts research from the principles of storage limitation and purpose limitation to allow researchers to further process personal data beyond the purposes for which they were first collected. This however does pose challenges for research collaboration between and amongst member states and globally. Whilst the GDPR adopts a “broad” definition of research, it is unclear exactly how far the GDPR’s research exemption will extend. One thing is clear, however: the GDPR aims to encourage innovation, if organizations implement the appropriate safeguards.
Much will be written about this over the coming months, we will keep updated on the particular implications for the conduct of clinical trials.