On May 25, 2018, after much anticipation, the EU’s General Data Protection Regulation (GDPR) became effective. The GDPR, which replaces the Data Protection Directive 95/46/EC (the Directive), changes the current EU data protection framework in several significant ways. While many of the core data protection responsibilities outlined in the GDPR are not new to organizations involved in research, the GDPR nonetheless will have significant repercussions for CROs. With the baseball season underway and the GDPR in force, here are the “starting nine” GDPR takeaways for CROs.
Leading Off: CROs, as Processors, Are Subject to the GDPR
For the first time, the EU imposes data protection obligations directly on data processors — that is, a person or entity that processes personal data on behalf of a data controller. CROs are processors with respect to, for example, the performance of tasks delegated from a study sponsor (the controller), such as site monitoring, project management, and data management. CROs should review their current agreements with sponsors and sites to ensure that the controller and processor relationship and obligations are clearly spelled out. Notably, if a CRO processes personal data from a study for purposes other than those authorized by the sponsor, the processor will be considered a controller with respect to those processing activities. By extension, the CRO also will take on the associated regulatory responsibility and liability. CROs will therefore want to ensure that contracts with sponsors clearly identify the authorized processing activities undertaken on behalf of the sponsor.
Batting Second: Controller and Processor Coordination
Compared to the Directive, the GDPR places an increased emphasis on the coordination between controllers and processors. Among other things, the GDPR broadens the scope of the required terms of a data-processing agreement, and many of the terms underline increased coordination between the parties. For example, data-processing agreements now must provide that the processor “assists the controller” in fulfilling the controller’s duty to respond to requests from data subjects regarding their data-privacy rights. These rights include the right to information about processing activities and to access personal data, as well as the rights to restrict and object to processing, to rectification, to erasure, and to data portability. Given this increased need for coordination under the GDPR, CROs and sponsors should ensure data protection is on the list of items subject to periodic, collective review during the course of the contractual engagement — not just at the inception of the arrangement.
Batting Third: Breach Notification
The GDPR includes obligations for both controllers and processors regarding data breaches. As further evidence of the GDPR’s emphasis on increased coordination among processors and controllers, it encourages communication with controllers and processors following data breaches. In the event of a data breach by a CRO or investigational site, CROs inevitably will need to play an important role in notifying data subjects, as the sponsor typically will have no direct relationship with them. Processors should review and update their existing agreements to account for each party’s obligations following a personal data breach to ensure the GDPR’s requirements are met.
Batting Cleanup: DPIA Requirement
Under the GDPR, controllers must carry out data-protection-impact assessments (DPIAs) where a planned processing is “likely to result in a high risk to the rights and freedoms of natural persons.” One “high risk” area is the large-scale processing of sensitive data, such as health or genetic data, which is typically found with clinical trials. Although the processing of pseudonymized data may not reach the level of high-risk, all processing activities will need to be reviewed to determine if a DPIA is required. Moreover, while the requirement to conduct the assessment rests with the controllers, they will likely lean on CRO processors to help assess and address the GDPR’s DPIA requirements.
Batting Fifth: Managing the Sub-Processor Relationship
As mentioned previously, processors of personal data are now subject to regulatory requirements under the GDPR. Likewise, these requirements apply to sub-processors (i.e., those that process information on behalf of processors). Therefore, CROs need to ensure that agreements with sub-contractors adequately set forth each party’s roles and obligations with respect to the GDPR. Moreover, controllers must authorize, in writing, the engagement of sub-processors. Due to the emphasis the GDPR places on the coordination between the controller and the processor, processors and sub-processors will likewise need to increase their own coordination and communication. CROs and other processors and sub-processors may wish to establish SOPs to support these compliance efforts.
Batting Sixth: Doing Your Homework Ahead of Time
Sponsors, CROs, and research sites are accustomed to working together for the successful implementation of a research study. However, with the expansion and modified obligations of controllers and processors, the opportunity also exists for each to be liable for harm to data subjects as a result of processing misconduct. Controllers and processors will both want to re-assess (and in many cases step up) their level of due diligence in selecting contractual partners. They should also ensure that data-protection-processing activities (and related compliance) are fully vetted in advance and on an ongoing basis beyond merely relying on the contractual relationship.
Batting Seventh: Managing Withdrawal of Consent
Parties involved in processing relating to clinical research will face the issue of how to manage a data subject’s withdrawal of consent to data processing. In a December 18, 2017 publication, the Article 29 Working Party (the organization that was tasked with issuing GDPR guidance in advance of the May 2018 effective date) pointed out that there is no exception for scientific research when it comes to a data subject’s right to withdraw consent. Further, once consent is withdrawn, personal data must be deleted, or it must be anonymized promptly if the data will continue to be processed. This raises significant questions in the research context since deleting or anonymizing data that has already been collected for a study may adversely affect the overall research and the integrity of the study data and research results. Sponsors, CROs, and trial sites should therefore keep an eye on the status of this guidance and ensure the process for managing consent is compliant with the GDPR going forward.
Batting Eighth: Indemnity, Limitation of Liability, and Insurance
The changes in data protection roles and responsibilities under the GDPR also require a reassessment of risk-management strategies, including contractual provisions that address liability. Under the terms of the GDPR, if controllers and processors are involved in the same processing, each controller and processor may be held liable for the entirety of damages to an aggrieved data subject. Therefore, it behooves CROs and other parties involved in a research study to revisit (or, in the future, pay keen attention to) indemnity, limitation of liability, and required insurance clauses to ensure risk allocation is appropriate based on the parties’ respective responsibilities.
Bringing up the Rear: Increased Communication with Supervisory Authorities
Under the new regime, the supervisory authority plays a role that is more focused on high-risk matters than under the Directive. However, this more focused role may translate into the supervisory authority becoming more involved in an organization’s overall data-processing activities. As such, CROs and their sponsors need to have processes in place for expected communication and cooperation with supervisory authorities, such as documentation of the processing activities being undertaken, the lawful basis for the processing, and the nature and scope of personal data involved.
The interpretation of the GDPR in the research context will continue to develop and be refined over time by life sciences organizations and the EU Commission and Member States. CROs and other parties to research arrangements must begin now, however, to lay the operational foundation for GDPR compliance. All parties need to be abreast of developments and prepared to modify their roles, responsibilities, operational infrastructure, and contractual relationships as necessary to address the GDPR and future developments.
*This article was previously published in the April 2018 Edition of Life Science Leader.
 GDPR, Article 35(1).
*Michelle Wilcox DeBarge is a partner at Wiggin and Dana. She is co-chair of the firm’s Cybersecurity and Privacy practice group, chair of the HIPAA practice group, and a member of the Life Sciences practice group. Aaron Baral is an associate in the firm’s Cybersecurity and Privacy practice group.