Please login to the form below

Not currently logged in

Mastering data protection in the pharma industry

‘Trip wires’ that pharma should look out for

data protection

The General Data Protection Regulation (GDPR) entered into force on 25 May 2018, and has had a fundamental impact on the pharmaceutical industry. 

To avoid data protection ‘trip wires’, businesses should consider the effects of the GDPR when processing data for medical research, pharmacovigilance and clinical trials. They must also keep on top of a number of additional data protection regulations coming down the tracks.

GDPR and medical research

Carrying out medical research is fundamental to the pharmaceutical industry, and the GDPR allows flexibility to process personal data where necessary for scientific research purposes. However, as a starting point, the research should be carried
out using anonymous data if possible. If it is not possible to use anonymous data then certain safeguards must be in place, ensuring:

  • that technical and organisational measures arein place
  • the processing of only the minimum amount ofdata required
  • the data is not processed to support measuresor decisions relating to particular individuals, unless this includes the purposes of approved medical research
  • that the data is not processed in such a way that may cause substantial damage or distress to an individual.

The enhanced rights for individuals under the GDPR may also have implications for medical research. For example, individuals have a right to have their personal data erased in certain circumstances.

The GDPR does provide an exemption from the right of erasure of personal data for scientific research purposes, in so far as the right of erasure is likely to render impossible or simply impair the achievement of the objectives of this type of processing. However, it may not always be clear when the exemption applies.

Processing personal data for pharmacovigilance

EU pharmacovigilance legislation requires businesses to report adverse reactions. Businesses must therefore consider the data protection issues associated with this. The pharmacovigilance legislation applies ‘without prejudice’ to the data protection rules and notes ‘it should be possible’ to process personal data within pharmacovigilance reporting requirements while complying with the EU data protection rules.

It is not considered necessary to obtain an individual’s consent when processing personal data for these purposes. It may be processed on the basis that it is necessary for compliance with a legal obligation and for the purposes of legitimate interests pursued by the data controller.

Under the previous legislation, it was possible to rely on the medical purposes legal ground to process pharmacovigilance data that is sensitive personal data. The GDPR introduced a new legal ground for processing special categories of personal data, which may be helpful in the context of pharmacovigilance where the processing is necessary for reasons of public interest/health.

For example, protecting against serious cross-border threats to health or ensuring high standards of quality and safety for medicinal products or medical devices. It must be carried out by or under the responsibility of a professional, subject to the obligations of professional secrecy under EU or member state law or by another person subject to a professional obligation of secrecy.

For guidance on the interplay between pharmacovigilance legislation and data protection regulation, the European Data Protection Supervisor (EDPS) published two opinions, although these relate to the previous data protection legislation rather than the GDPR.

The ABPI Pharmacovigilance Expert Network, the Pharmaceutical Information and Pharmacovigilance Association and pvlegal,
in consultation with the UK ICO, also published guidance on UK data protection in post-marketing pharmacovigilance.

Legal basis for processing personal data in clinical trials

Pharmaceutical businesses can also trip up while considering the legal basis when processing personal data in clinical trials, in light of the GDPR and the Clinical Trials Regulation (CTR) (which entered into force in 2014 and is expected to become applicable in 2020).

The CTR’s objective is to harmonise the rules for conducting clinical trials throughout the EU. It introduces an authorisation procedure based on a single submission via a single EU portal, an assessment procedure leading to a single decision, rules on the protection of individuals, and informed consent and transparency requirements. The GDPR meanwhile seeks to protect individuals with regard to the processing of their personal data.

The European Data Protection Board (EDPB) has clarified in an opinion that both the GDPR and the CTR apply simultaneously and that whilst the CTR contains specific data protection provisions, it does not allow derogation from or in any way diminish the legal requirement to comply with the GDPR.

There has been considerable debate on this issue, and national ethics committees and regulatory bodies have struggled to reach consensus on whether processing should be on the basis of consent or legitimate interests.

The EDPB opinion emphasises that ‘informed consent’ provided under the CTR to participate in a clinical trial is not the same as consent to process personal data under the GDPR. While informed consent under the CTR may still be possible, an imbalance of power between the participant and the sponsor/investigator may not enable that consent to be ‘freely given’ as required by the GDPR.

The EDPB also distinguishes between the ‘primary use’ and ‘secondary use’ categories of processing.

Primary use is the processing of personal data during the course of a clinical trial and comprises operations relating to the protection of health activities (reliability and safety related purposes) and operations relating to research activities.

In regards to the protection of health activities, the EDPB clarifies that this type of processing can be performed on the basis that it is necessary to comply with legal obligations: for example, safety reporting, archiving of master files and disclosure of clinical trial data. Whereas, when processing operations relating to research activities, the EDPB considers that this type of processing cannot be based on legal obligations.

Instead, processing may be carried out on the basis of an individual’s explicit consent (subject to the GDPR’s conditions around consent when processing special categories of data) or the legitimate interests of the controller, or the public interest. In respect of consent, any imbalance

of power (eg, illness of a trial participant or a participant being in a situation of dependency) may prevent a data controller obtaining ‘freely given’ GDPR consent and in such case an alternative legal basis may be required.

A thorough assessment of the circumstances of the trial should therefore be carried out before consent is relied upon as the legal basis for processing personal data.

If relying on the legitimate interests of the controller, or the public interest, data controllers should be mindful that their legitimate interest to process personal data in the context of a clinical trial will need to be balanced against the interests of the individual participants.

Legitimate interests cannot be relied upon if overridden by the individual’s interests or fundamental rights and freedoms. Whether or not the ‘public interest’ legal basis can be relied upon will depend on whether the clinical trials fall ‘within the mandate, missions and tasks vested in a public or private body by national law’. This may be difficult to meet in the case of commercial data controllers.

Secondary use is the processing of personal data for scientific purposes outside the clinical trial. The EDPB confirms that it is not possible to rely solely on CTR consent to process personal data in the case of secondary use and a separate GDPR legal basis to process is required. That said, the legal basis may be the same or different from that relied upon for the primary use.

Compliance: keep on keeping on

With fines of up to 4% of a company’s annual worldwide turnover or EUR 20m (whichever is higher), the GDPR has introduced an aggressive enforcement regime and significantly increased the risk of non-compliance.

National data protection authorities now also have augmented powers – they can impose a ban on the processing of personal data, enter premises and suspend data flows to a recipient located outside the EU.

What’s more, with the CTR set to become applicable in 2020 and the new EU E-Privacy Regulation coming down the road, compliance issues are only set to increase.

A year after the introduction of the GDPR, pharmaceutical businesses should therefore continue to review their responsibilities and obligations under the GDPR to ensure ongoing compliance, as well as keep abreast of the new regulations that are in the pipeline.

For compliance teams, it is a case of ‘keep on keeping on’.

Maliha Carey is a Senior Associate at Stevens & Bolton LLP

2nd October 2019

Maliha Carey is a Senior Associate at Stevens & Bolton LLP

2nd October 2019

From: Regulatory



Career advice

No results were found

Subscribe to our email news alerts

Featured jobs


Add my company

We’re a specialist health consultancy that supports companies, healthcare professionals and patients to work hand in hand with a common...