With an ever-abundant list of important compliance requirements to contend with, life sciences compliance officers have no shortage of challenges. And this year won’t offer any reprieve. On May 25, 2018, enforcement of the General Data Protection Regulation (“GDPR”), the European Union’s (EU’s) new data protection law, will begin-- and there is much to do between now and then.
The GDPR, which replaces the Data Protection Directive 95/46/EC (“the Directive”), changes the current EU data protection framework in several significant ways. Among other things, the new framework expands the territorial scope for EU data protection obligations, applies those obligations directly to data processors, and broadens the requirements for controllers. The GDPR also includes new, quite severe penalties for non-compliance. Regulators have the authority to levy fines for violations of the GDPR in an amount up to the greater of €20 million or 4% of a company’s global annual revenue in the prior year. Data subjects also are entitled to specific remedies under the regulation.
While many of the core data protection responsibilities outlined in the GDPR are not new to organizations involved in clinical research, the GDPR nonetheless will have important repercussions for the life sciences sector generally and for the multiple parties involved in global clinical research studies. This is because global studies typically involve the collection and analysis of large amounts of health and genetic data of study participants, and the data may be maintained in multiple databases and systems by multiple entities located in multiple countries. Therefore, sponsors of global clinical research studies and their Contract Research Organizations (“CROs”) in particular will need to re-evaluate and document their respective data protection obligations and GDPR compliance in connection with these processing activities. This re-evaluation needs to be undertaken not only with respect to the sponsor-CRO relationship, but also with respect to the data processing activities and responsibilities of third party vendors, and of clinical trial sites in the EU.
Non-EU based Organizations May be Subject to the GDPR
The GDPR expands the territorial jurisdiction for data protection obligations well beyond that of the Directive. This means that many organizations involved in clinical research that are not currently subject to the Directive may have to comply with data protection responsibilities that are new or unfamiliar. This will be especially true for organizations that do not have an office or other type of establishment in the EU.
Under the current Directive, if an organization is neither located in the EU nor uses equipment located in the EU to process personal data, EU data privacy laws generally do not apply. Now, under the GDPR, if personal data processing activities are related to the offering of goods or services to people in the EU, or the monitoring of behavior of people in the EU, the EU data protection requirements will be triggered. This will pull in non-EU based organizations involved in global clinical trials that previously may have been subject only to limited data protection obligations through contractual language.
Data Processors Now Covered
For the first time, the EU will impose data protection obligations directly on data processors, such as CROs or third-party vendors that process personal data on behalf of a controller. CROs, for example, may undertake processing on behalf of a sponsor in the course of performing delegated tasks such as site monitoring, project management, data management and the like. Moreover, in clinical trials, processing is often carried out by multiple organizations, sometimes through sub-processors that are contracted by the main processors to carry out some of the processor’s activities. All of these parties will now have to comply with an array of regulatory obligations and, together with the controllers they serve, will face new, more severe penalties for violations.
Defining a Controller and Processor Under the GDPR
A controller is a person or entity that determines the purposes and means of the processing—the controller effectively is the decision-maker around what can or will be done with personal data. A processor is a person or entity that processes personal data on behalf of a controller.
Controller Obligations Expanded
A sponsor, as the initiator and “owner” of the clinical trial, is a controller with respect to the processing of personal data of study participants in a clinical trial. However, depending on the study design, the scope and nature of any delegated duties, and the type of data at issue, multiple parties may be controllers within a clinical trial.
Controller responsibilities under the GDPR are now more expansive than under the Directive, and differ in several ways from those of a processor. Among their other obligations, controllers now, for example, must notify supervisory authorities and data subjects of certain data breaches. In contrast, processors have no obligation to notify authorities or data subjects, but they must notify the controller of all data breaches.
Additionally, the GDPR expressly provides for the role of joint-controller of a processing activity with corresponding responsibilities. For example, joint controllers must determine their respective GDPR compliance obligations by agreement, and make the “essence of the arrangement” available to data subjects. Moreover, data subjects are entitled to enforce their rights against either controller, regardless of the allocation of responsibilities in the joint-controller agreement.
Mapping Roles and Responsibilities
A CRO or a clinical trial site may thus be a controller, joint controller or a processor (or all three) depending on the facts and level of autonomy associated with a particular processing activity and will have to adhere to the respective GDPR responsibilities attendant to each role. The Article 29 Working Party (the primary advisory body for EU data protection) notes, for example, that a clinical trial site that carries out a trial “autonomously,” even if in compliance with the sponsor’s guidelines, may be regarded as a joint controller. Indicia of autonomy, according to the Working Party, include providing notices and obtaining patients’ consent, allowing access to the sponsor’s collaborators, and handling original medical documents. However, the result could be different where the clinical trial site has little discretion in determining the essential aspects of the purposes and means of the processing.
Mapping out the roles and responsibilities of involved parties in a clinical trial is thus essential given the expanded jurisdictional scope of the GDPR, and its new and sometimes overlapping compliance obligations among controllers, joint controllers, processors, and sub-processors. Sponsors and CROs must take the time to define in advance their respective roles, and the roles of other third-parties, in the data processing aspects of a clinical trial, and map out their concomitant responsibilities, including their communication protocols in the event of a data breach.
Notably, the Article 29 Working Party explains in guidance that these roles are based on factual considerations, rather than formal categories and the contractual provisions between the parties. In other words, contractual language disclaiming a party’s role as a controller or processor will have no bearing on the regulatory obligations of a party if the facts are contrary to the terms of the agreement.
Determining the roles and responsibilities will take time and should be given the same care as preparation of budgets, timelines, and the list of tasks delegated to the CRO, given the risks associated with non-compliance. Sponsors and CROs, moreover, should ensure data protection is on the list of items subject to periodic, collective review during the course of the trial, not just at the trial’s inception, so that areas of concern can be addressed promptly. Neglecting to address data protection matters thoughtfully and thoroughly throughout the course of a clinical trial will undoubtedly lead to significant confusion, contractual disputes, unexpected liability and compliance issues.
Risk Assessment, Liability and Insurance
The changes in data protection roles and responsibilities under the GDPR also require a re-assessment of risk management strategies, including contractual provisions that address liability. The GDPR expressly states that where controllers and processors are involved in the same processing, each controller and processor may be held liable for the entirety of damages to an aggrieved data subject. A controller, moreover, is deemed by default to be responsible for all processing activities that do not comply with the regulation, even if the activities are delegated to a processor, unless it proves it is in no way responsible. Therefore, it behooves parties involved in a global clinical trial arrangement to re-visit indemnity and limitation of liability clauses to ensure risk allocation is appropriate based on their respective responsibilities.
Controllers and processors will also both want to re-assess their level of due diligence in selecting contractual partners. They also should ensure that data protection processing activities (and related compliance) are fully vetted in advance and on an ongoing basis beyond relying merely on contractual language.
Parties may also want to re-evaluate their insurance posture to determine if additional insurance is advisable to cover heightened data protection risks. The GDPR expressly provides that if processors process personal data other than as expressly directed by the controller, the processor will be deemed a controller for purposes of the unauthorized processing.
CROs and other processors involved in global clinical trials will therefore want to ensure their agreements contain express and detailed language memorializing the processing activities directed and approved by the sponsor. The CRO and other processors will also want to ensure they have in place operational checks and balances to ensure processing activities do not deviate from the controller’s contractual directives. In other words, the GDPR places a premium on compliance monitoring.
The use of CROs by sponsors to conduct clinical trials is now commonplace, and it is expected to continue to increase. In 2012, 23% of clinical trials were outsourced by pharmaceutical companies to CROs, a number which is expected to increase to 72% by 2020. The GDPR adds complexity to this relationship by requiring cooperation and coordinated performance of several data privacy duties by controllers and processors. The regulation expands the Directive’s requirement for what the data processing agreement between the controller and processor must contain. Under the Directive, the focus of this agreement was to obligate the processor to follow the controller’s instructions, and abide by relevant Member State law. The GDPR framework broadens the scope of the required terms in the data processing agreement, mandating several additional provisions that speak to the expected close coordination between a controller and a processor.
First, controller-processor contracts must now provide that the processor “assists the controller” in fulfilling the controller’s duty to respond to requests by data subjects with regard to their data privacy rights. These rights include the right to information about processing activities, the right to access, rectification, erasure, restrictions on processing, to object to processing, and to data portability.
Second, processors must further assist the controller in complying with the controller’s data security requirements, including putting in place appropriate security measures and policies, conducting data protection impact statements, and consulting with the supervisory authority with regard to high risk activities where associated risks cannot be mitigated. In the case of a data breach by the CRO or an investigational site, for example, for which notification to data subjects is required by the controller, the CRO or site inevitably will also need to play a critical role in notifying the data subjects as the sponsor typically will have no direct relationship with the data subjects.
Finally, processors must also contribute to audits and inspections by the controller. Part of that contribution is the requirement that the processor makes available to the controller all the information that is necessary for the controller to demonstrate the controller’s compliance with its due diligence and oversight obligations, including the obligation for sponsors to approve in writing all sub-processors.
These requirements foretell additional pressure on sponsors and CROs to work out effective practices for data compliance oversight and distribution of responsibilities. Sponsors should take note of these GDPR requirements from the outset, and include these considerations in their due diligence when deciding whether to use a CRO for any particular project and what kind of data processing structure to adopt for such a relationship. CROs should by extension take into account similar considerations when choosing and contracting with sub- processors. CROs and other processors and sub-processors may wish to establish standard operating procedures and acquire technologies or other means to support their compliance efforts. CROs and other processors should also note that these requirements are scalable, and as such all CROs should consider how they can comply with their assistance obligations specific to the services they already provide and the resources they already have.
Legal Grounds for Processing for Scientific Research
While the GDPR is built upon the EU’s commitment to data privacy as a fundamental right, the GDPR’s provisions also demonstrate the EU’s interest in supporting scientific research. Like the Directive, the GDPR specifies certain types of more sensitive data that are considered “special” and have associated, more stringent requirements for their processing. The GDPR continues to consider health data sensitive, and further adds genetic data and biometric data to this category, although many life science companies already treat those types of data as sensitive.
In order to process these types of data, the responsible organization or investigator must either obtain the data subject’s explicit consent or be able to demonstrate that the processing is otherwise lawful. Particularly relevant for clinical research activities, the GDPR now permits the processing of sensitive data where it is “necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes” subject to EU or Member State law and additional conditions for data security. Therefore, it appears that organizations can process sensitive data without explicit consent if such processing is necessary for a scientific research purpose, and if they maintain heightened security protections and comply with other applicable law as defined by Member States. The provision also intimates that organizations will need to document rationales demonstrating that the processing is for scientific research purposes as well as the additional safeguards undertaken.
Modified Consent Requirements
For now, organizations may want to continue obtaining explicit consent for the processing of health and other special data categories, as they have under the Directive, until the parameters for the scientific research grounds for processing are better understood in the context of a clinical trial. They should be aware, however, that the GDPR contains some new requirements for obtaining, evidencing and revoking consent as well as some special provisions addressing consent in connection with scientific research.
The GDPR embraces the Declaration of Helsinki principle that consent should be specific and informed. Data subjects are required to know the purpose for which their data is intended to be processed, and the subject’s consent must be specific to that purpose. Therefore, if a processing has more than one purpose, the data subject has to give consent to each purpose. The data cannot be processed for purposes that are incompatible with those purposes to which the subject has consented.
Consent forms must also be “in an intelligible and easily accessible form, using clear and plain language,” and “should not contain unfair terms.” If the form also concerns other matters, the request for consent must be clearly distinguishable. Again, the GDPR takes its cue from well-settled principles governing clinical research such as the ICH Guideline for Good Clinical Practice.
In clinical trials, and in research generally, data is often made subject to many different analyses and manipulated in various ways that are not always foreseen from the beginning. Further, the datasets that are used in research often are ones that have been created by other researchers – a research outcome is frequently the product of many iterations of work products built upon one another. The GDPR acknowledges these aspects of research processes, and provides that where data is processed for scientific research, data subjects are allowed to give consent to “areas of research” that may be broader than identifying a specific purpose. Furthermore, where data is subject to further processing for which consent has not been obtained, the GDPR by default considers further processing for scientific research compatible with the initial purposes, subject to additional safeguards for data security.
Although these special consent provisions for scientific research have yet to be applied in practice, on December 18, 2017, the Working Party issued draft guidelines on consent, which include a discussion of consent for scientific research purposes. The draft guidelines state that even though purpose specification in a consent for scientific research can be more general, the Working Party expects that controllers will seek other ways to ensure that the essence of the consent requirements is met, for example, by obtaining consent for subsequent steps as the research advances. Moreover, the expectation is that consent at all times will be in line with applicable ethical standards. Additionally, the Working Party points out that there is no exception for scientific research when it comes to the data subject’s right to withdraw consent. The guidelines further provide that when consent is withdrawn, personal data must be deleted or be anonymized promptly if the data will continue to be processed in connection with the research.
Sponsors, CROs and clinical trial sites should therefore ensure consent forms and the process for managing consent are compliant with the GDPR’s additional requirements, while recognizing that data subjects can consent to specified areas of research rather than narrow processing activities that it may not be possible to detail in advance. Moreover, while there does not appear to be a need to re-obtain consent for data that qualifies as “further processing” if that processing is done for scientific research and if appropriate security safeguards are in place, obtaining consent for subsequent stages as the research advances may be necessary in some cases.
The GDPR also affects controllers’ and processors’ relationship with supervisory authorities. Supervisory authorities are the independent public authorities responsible for monitoring the regulation’s application in each Member State. At the outset, the GDPR expressly states that controllers, processors, and their representatives must cooperate with the supervisory authority where requested.
Although controllers will no longer be required to register their processing activities with the data protection authorities in each Member State, both controllers and processors will now need to maintain their own more expansive records of their processing activities. Further, under the new regime, the supervisory authority plays a role that is more focused on high-risk matters than under the Directive. However, this more focused role may translate into the supervisory authority becoming more involved in organizations’ overall data processing activities. Similar to how they handle their relationships with other regulatory authorities, sponsors and CROs subject to the GDPR need to have processes in place for expected communication and cooperation with supervisory authorities. Among other things, sponsors and CROs need to document in advance the types of processing activities being undertaken, the lawful basis for the processing, and the nature and scope of personal data involved, as required by the GDPR. This documentation will be necessary to respond appropriately to compliance inquiries.
Under the GDPR, supervisory authorities now will play a particularly important role in two areas: in connection with required data protection impact assessments (“DPIAs”) and data breaches. Under the new rules, controllers are required to carry out DPIAs where a planned processing is likely to result in a high risk to the rights and freedoms of natural persons. This is a significant new requirement under the GDPR.
The large-scale processing of sensitive data, such as health or genetic data, is considered a high-risk activity, and consequently sponsors must ensure they have procedures in place to ensure proper privacy impact assessments are conducted and documented in the context of a clinical trial. If the DPIA shows that, despite any mitigating measures, the risk remains high, the controller must consult with the supervisory authority about how to proceed. How involved the supervisory authority will ultimately choose to be with regard to high risk activities remains to be seen and will likely vary by Member State.
Supervisory authorities will also be more involved in the context of data breach notifications. As noted above, controllers are required to notify supervisory authorities and data subjects of data breaches in certain circumstances. The controller must notify the supervisory authority within 72 hours of becoming aware of a breach if the breach is likely to result in a risk to the rights and freedoms of natural persons. If the breach is likely to result in high risk to a data subject, the data subject must also be notified. If the controller has not already done so at the time of notification to the supervisory authority, the supervisory authority may require that the controller notify affected data subjects. While these high impact breach scenarios hopefully will not be common place, the consequences for sponsors and CROs, and the clinical trial itself, can be significant. Sponsor and CROs should plan for breaches and have processes in place to ensure proper communication with supervisory authorities, as necessary.
The interpretation of the GDPR in the context of global clinical trials will continue to develop and be refined over time by organizations in the life sciences industry and by the EU Commission and Member States. Sponsors, CROs, third-party vendors and clinical trial sites must begin now, however, to lay the operational foundation necessary to address the complexities of GDPR compliance in the context of global clinical studies. All parties should also keep abreast of developments and be prepared to modify their roles and responsibilities and operational infrastructure as necessary to address those developments.
 Art. 3 – Territorial scope
 GDPR Art. 26 – Joint controllers.
 WP29 guidance on controllers and processors, p. 30 – from: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf
 Id. (“the role of processor does not stem from the nature of an actor processing personal data but from its concrete activities in a specific context and with regard to specific sets of data or operations.”) Criteria for determining: level of prior instruction; monitoring; visibility; expertise; decision-making power (33); determining of purposes of processing is reserved to the controller; determination of the “means” of processing can be delegated, but substantial questions which are essential to the core of lawfulness of processing are reserved to the controller (15).,
 GDPR Art. 28(10)
 Sujay Jahav, How CROs Are Helping With Healthcare's Data Problem, Forbes, 2017, https://www.forbes.com/sites/forbestechcouncil/2017/08/16/how-cros-are-helping-with-healthcares-data-problem/#4e0d557a3e2b.
 Directive – Art. 17(3)
 GDPR Art. 28 – Processor
 GDPR Art. 28(e)
 GDPR Art. 28(f)
 GDPR Art. 28(h), requiring that processor assist controller in fulfilling Arts. 32-36.
 WP29 guidance on risk & scalability of obligations, at: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp218_en.pdf
 Indeed, the GDPR makes reference to the EU’s objective under the Lisbon Treaty of achieving a competitive European Research Area where research can circulate freely, thus acknowledging its interest in promoting and supporting research. Recital 158, Processing for scientific research purposes: “… For the purposes of this Regulation, the processing of personal data for scientific research purposes should be interpreted in a broad manner including for example technological development and demonstration, fundamental research, applied research and privately funded research. In addition, it should take into account the Union’s objective under Article 179(1) TFEU of achieving a European Research Area.”
 Under the GDPR, data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership; data concerning health, sex life, or sexual orientation; and genetic and biometric data are considered special categories of personal data. Art. 9(1).
 GDPR Art. 9(2)
 GDPR Art. 9(2)(j); additional security measures in Art. 89(1)
 Note that under GDPR Art. 9(4), Member States are authorized to maintain or impose further conditions, including limitations, for the processing of genetic, biometric, and health data.
 GDPR Recital 42
 GDPR Art. 4(11) “‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
 GDPR Recital 32: “When the processing has multiple purposes, consent should be given for all of them.”
 GDPR Art. 5(1); 6(4) on factors to determine whether the further purpose is compatible with initial purpose.
 GDPR Recital 42 – Burden of proof and requirements for consent. All recitals at: https://gdpr-info.eu/recitals/
 GDPR Article 7 – Conditions for consent
 See, e.g., International Conference on Harmonisation of Technical Requirements for Registration of Pharmaceuticals For Human Use, GUIDELINE FOR GOOD CLINICAL PRACTICE E6(R1), 15–18 (1996).
 GDPR Recital 33: “It is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research when in keeping with recognized ethical standards for scientific research. Data subjects should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.”
 GDPR Art. 5(1) Personal data shall be: … b) “collected for specific, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’).”
 Guidelines on Consent under Regulation 2016/679, http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=611232
 GDPR Art. 31 – Cooperation with the supervisory authority “The controller and the processor and, where applicable, their representatives, shall cooperate, on request, with the supervisory authority in the performance of its tasks.”
 GDPR Art. 35 - DPIA
 GDPR Art. 33 – Notification of a personal data breach to the supervisory authority