The GDPR will apply on 25 May 2018 – what should companies do to ensure compliance?

In 1995, the European Union sought to improve the protection of personal data within the EU member states through introduction of the Data Protection Directive. In May 2018, the directive will be replaced by the General Data Protection Regulation (GDPR). This regulation will give individuals greater control over how their data is used, stored and erased. It will also update, strengthen, and standardise data protection laws throughout the EU and impose greater related responsibilities on data controllers and data processors.

The GDPR, which comes into force on 25 May 2018, is one of a number of developments that will have potentially substantial impact on companies in the life sciences sector. The regulation, combined with the Medical Device Regulation, the In Vitro Diagnostic Medical Devices Regulation, the Clinical Trials Regulation and, potentially, Brexit, will create both opportunities and obligations. Clinical data, including data generated within clinical trials, will be among the types of data particularly impacted by the GDPR.

As the EU member states were required to adopt individual national measures to implement the requirements of the Data Protection Directive on their territory, the scope and nature of related obligations varied between countries. This caused some confusion on the part of companies about their related obligations and how these should be fulfilled. The GDPR is, however, in the form of a regulation and is therefore directly applicable in all the EU member states without the need for related national implementing measures. This will, hopefully, result in a greater consistency of approach between the EU member states and a related reduction in the variety of different national obligations with which companies are required to comply.

It cannot be excluded that, for some companies, compliance with GDPR obligations may require fairly substantial actions. Although the Data Protection Directive was adopted in 1995 and entered into force in 1997, until relatively recently substantial numbers of data controllers were either unaware of their related obligations or adopted compliance actions that were often inadequate.

Unlike the pre-GDPR regime, it will no longer be sufficient for companies to declare that they are compliant with their related obligations. They will now be obliged to demonstrate this compliance. If companies in any sector are considered to be in breach of their GDPR obligations, they could face fines of up to €20m or 4% of group worldwide turnover (whichever is greater).

Moreover, it cannot be excluded that the inspections and audits by competent authorities and, for medical devices, notified bodies will include examination of GDPR compliance. Failure to demonstrate such compliance could lead to findings of non-conformity which could, in turn, result in actions affecting the marketing of the relevant products.

One of the first practical steps that can be taken by companies in determining the actions necessary to comply with the GDPR is conduct of a gap assessment of existing protocols and standard operating procedures intended to ensure respect of data protection obligations. This will permit areas of activity that already comply to a greater or lesser extent with the GDPR to be identified and the areas in which steps are necessary to ensure compliance to be determined. Documentation of this gap assessment is also advisable. This provides evidence that companies are aware of their obligations arising from the GDPR and have taken steps to address these.

Following completion of the gap assessment it will be necessary to determine the most appropriate means to address shortcomings in compliance with GDPR, to adopt appropriate related measures and, to train personnel in relation to new measures. This last point, the need to conduct related training activities, is important. In highly regulated sectors such as life sciences, it is important that employees are aware of their related obligations and the steps that should be taken to fulfil these obligations.

There are many areas of discussion in relation to the implications of the GDPR for companies’ activities and obligations. Among the areas of discussion in the life sciences sector is whether, after the GDPR comes into effect, it will be necessary to reconsent patients who were enrolled in clinical trials before 25 May 2018 on the basis of informed consents prepared in compliance with the Data Privacy Directive. The Recitals to the GDPR provide that, where data processing is based on consent pursuant to Directive 95/46/EC, it is not necessary for the data subject to give his or her consent again if the manner in which the consent has been given is in line with the conditions of the GDPR. This gives rise to a related challenge of determining whether pre-existing consents were compliant with the regulation and how, if they cannot be considered compliant, this shortcoming can be resolved.