Can I Have a Little Privacy Please?

Anyone that's been on the internet the past few weeks has probably done a bit of extra clicking, as companies update their privacy policies to come in line with the new General Data Protection Regulation (GDPR) which comes into effect on Friday, 25 May 2018. These new regulations not only impact how Amazon, Google and (oh yes) Facebook track your movements on the internet, they also have a potentially serious impact on how laboratories and medical device manufacturers store and handle patient data in the EU.

First, a couple of disclaimers. This is a very complicated set of regulations, which I couldn't possibly cover thoroughly in a blog post that anyone would want to read. So I strongly encourage readers to do a bit more research if you think this even remotely applies to your business. 

Second, like all regulations GDPR can be interpreted very narrowly or very broadly. It's why  driving over the speed limit doesn't guarantee you a speeding ticket. Unless it does. The point being that how these regulations get implemented in the EU will depend largely on how well companies and labs take care of patient data in the future.

All that out of the way, there are some critical changes that will impact how medical device companies conduct clinical research. There are a couple of key concepts in the new regulation that are worth reviewing. The most significant are the roles of Controllers and Processors of data.

Controllers of data are those responsible for the governance of data. They set the policies for what data is, how it is processed, and the purpose it is to be used for. This could be a company or a research institution that is running a clinical trial, or a lab doing routine clinical testing with an IVD device. Then there are the Processors of data. They collect, process and store that data for the Controllers. Processors and Controllers can be the same organization or different ones. Regardless, that relationship has to be very well defined (as in contractually), because both are subject to serious fines (20 million Euros or 4% of worldwide turnover, whichever is greater).

Further, things like genetic information are considered personal data - even if it is de-identified - because it is considered to be unique to a patient. So just because a patient was consented before for a study doesn't guarantee that they consented to any use of their personal data, unless they specifically consented to that potential use. And even then, the new regulation gives patients the right to be 'forgotten', meaning that they can ask to be removed from any and all datasets that used their information. Remember that consent must be explicitly stated and easily withdrawn under GDPR. Any data collected prior to May 25 that doesn't have this specific consent cannot be used.

Dizzy yet? Let's try an example. Say you're a US company that is part of a big clinical study in the EU, where clinical samples are being collected and analyzed to better understand cancer. You're providing data storage and maybe even a cool algorithm that's helping researchers better understand the biological pathways for cancer. Your device (yes, it's a device) in this scenario makes you the Provider, with the team running the study being the Controllers. It's in your best interest to have a clear, contractual agreement around who's doing what and why.

Even as the Processor, you're still on the hook for some big obligations. For example, there's a clause that states that patients have the right to know how a result was generated with your algorithm. This could be tough for a human to explain if machine learning was involved in generating the result. And if you decide to use that data in your own product development efforts... congrats! Now you're the Controller, and you need to establish your own set of policies and safeguards for that data. Either way, as a Processor or Controller, you're subject to prosecution if there's a leak or if the data is otherwise misused. 

The bottom line is, if you're doing business in the EU in any manner, you need to make sure that you are protecting patient data under GDPR. Whether you are conducting the study directly as a Controller, or providing the toolsets, you need to make sure that the right to privacy is protected throughout the process.