The European Parliament and the Council of the European Union approved the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/279) which became enforceable on May 25, 2018. Because personal information, including health information, is collected during clinical trials, knowing and understanding the GDPR is critical for running clinical trials in the European Union. Penalties for infringements of specific provisions of the Regulation can reach up to 4% of a company’s total worldwide turnover (i.e., gross revenue).
The Regulation points out several areas of particular importance which are associated with the most severe infringement penalties. Some examples include ensuring that:
- Data is processed in a lawful, transparent and fair manner
- Data is only used for the purpose(s) for which it was collected
- Collection of data is limited to the minimum amount necessary to accomplish the stated purpose(s)
- Data is accurately maintained, or is erased or corrected promptly
- Data subjects have the right to obtain and correct their information, and the right to have it erased under specific circumstances.
- Data is only transferred to entities or to countries where it can be assured that the protections guaranteed by the GDPR will not be compromised.
In addition, the Regulation prohibits the processing of certain special categories of data such as racial or ethnic origin, political opinions, religious beliefs, genetic and biometric data, and health data unless certain conditions are met. These conditions can include providing explicit consent to process this data, or if processing the data is necessary to protect the person’s life, or for reasons of substantial public interest.
It’s also important to understand the differences between the data controller and the data processor, which are separate roles according to the GDPR, and the specific responsibilities of each. The data controller is the entity (for example, a person, company or public authority) that determines the purposes and the means for processing the personal data governed by the GDPR. The data processor is the entity that processes the personal data on behalf of the controller. It’s important to note that the data processor can legally be considered the data controller if it’s determined that they are making decisions regarding the processing of the data. This is important because the data controller and the data processor have different responsibilities assigned to them by the Regulation.
The data controller is responsible for taking measures to ensure and be able to demonstrate that processing is performed in accordance with the GDPR while maintaining the rights and freedoms of the data subjects. If the data processor is a separate entity from the data controller, the data processor must be able to provide sufficient guarantees, usually contractual, to the data controller that they have sufficient controls in place to ensure that data processing will meet the requirements of the GDPR and ensure the rights and protections of the data subject.
The above descriptions only scratch the surface of the requirements of the Regulation. There are many more sections dealing with specific patient rights regarding their data, restrictions on transfers of data to other jurisdictions, and interactions with supervisory authorities.
Because of the requirements outlined in the GDPR and the potential penalties involved with infringements of the Regulation, it’s essential that companies that collect and process data on EU citizens have a clear and deep understanding of all aspects of the GDPR. To ensure this, I decided to take the Certified Information Privacy Professional certification for European regulations (CIPP/E) exam to demonstrate my knowledge of the GDPR.
This exam is developed by the International Association of Privacy Processionals (IAPP), the largest and most comprehensive global information privacy community and resource. They help define, promote, and improve the privacy profession globally and provide certifications to members who show proficiency and knowledge of privacy regulations in specific areas of the world. IAPP certifications are also recognized for meeting the global gold standard: ANSI/ISO accreditation.
The CIPP/E exam was one of the toughest exams I’ve ever taken. I studied for months, reading books and articles, taking classes, reviewing the Regulation itself in detail, and taking many pages of comprehensive notes. The work paid off, and I attained the CIPP/E certification. You can have confidence when working with a company that has an IAPP certified professional on staff who can provide expert guidance related to privacy and the GDPR.