On 25 May 2018, the current UK Data Protection Act 1998 (and all the other implementing laws across the EU) will be replaced by a new EU-wide General Data Protection Regulation (GDPR). The GDPR ‘comes into force’ (legally speaking) on 25 May this year, but we then have a two year transition period until it becomes applicable across the member states.
The GDPR retains the general definitions and concepts of the current Data Protection Directive (95/46/EC), but introduces a significant number of changes which will impact on the life sciences sector. As is to be expected of a 200 page Regulation, instead of a 20 page Directive, the requirements become far more detailed and far more prescriptive. The headline-grabbing increase in fines (up to €20 million or 4% of global turnover) also means the stakes of non-compliance will be much higher. In this article we consider a few of the most impactful changes in life sciences.
The definition of ‘personal data’ includes an identification number, but the GDPR introduces the new concept of ‘pseudonymisation’. Pseudonymised data is data that can no longer be attributed to a specific individual without the use of additional information, which must be kept separately and protected by safeguards to avoid re-identification. Although a degree more flexibility is granted in the processing of pseudonymised data, the GDPR will put under further strain the argument that coded data is not personal data.
Genetic and biometric data are formally designated as ‘sensitive personal data’. An issue which has caused much debate in some circles is whether genetic and biometric data constitute ‘health’ information (and are therefore sensitive personal data under the current law). As sensitive personal data, genetic and biometric data will be subject to more restrictive conditions for processing (usually requiring explicit consent).
Processing for scientific research or statistical purposes continues to be granted a greater degree of flexibility – arguably more so under the GDPR than under the current law. However, organisations have an express obligation to put in place appropriate safeguards, when relying on this so-called ‘research exemption’, to protect the rights and freedoms of individuals. Wherever possible, the research should be conducted using data which does not identify the individual.
Previously only best practice, organisations must conduct a ‘Data Protection Impact Assessment’ (DPIA) prior to any new processing of sensitive personal data on a large scale. The DPIA should consider the risks involved, and any mitigating steps which can be taken. A DPIA is not mandatory where the processing is carried out by an individual physician or healthcare professional, but likely would be necessary for any further research using the data (i.e. outside the scope of the direct patient care).
More generally, under the new ‘Accountability’ principle, organisations will need to adopt a documented compliance programme (essentially a set of policies) to enable them to demonstrate how they comply with data protection law.