Exploring the Impact of the GDPR on Companies Sponsoring and Managing Global Clinical Research

May 1, 2018 Published Work
TerraLex Connections Newsletter, 2018, Edition 2

With an ever-abundant list of important compliance requirements to contend with, life sciences compliance officers have no shortage of challenges. And this year won't offer any reprieve. On May 25, 2018, enforcement of the General Data Protection Regulation ("GDPR"), the European Union's (EU's) new data protection law, will begin-- and there is much to do between now and then.

The GDPR, which replaces the Data Protection Directive 95/46/EC ("the Directive"), changes the current EU data protection framework in several significant ways. Among other things, the new framework expands the territorial scope for EU data protection obligations, applies those obligations directly to data processors, and broadens the requirements for controllers. The GDPR also includes new, quite severe penalties for non-compliance. Regulators have the authority to levy fines for violations of the GDPR in an amount up to the greater of €20 million or 4% of a company's global annual revenue in the prior year. Data subjects also are entitled to specific remedies under the regulation.

While many of the core data protection responsibilities outlined in the GDPR are not new to organizations involved in clinical research, the GDPR nonetheless will have important repercussions for the life sciences sector generally and for the multiple parties involved in global clinical research studies. This is because global studies typically involve the collection and analysis of large amounts of health and genetic data of study participants, and the data may be maintained in multiple databases and systems by multiple entities located in multiple countries. Therefore, sponsors of global clinical research studies and their Contract Research Organizations ("CROs") in particular will need to re-evaluate and document their respective data protection obligations and GDPR compliance in connection with these processing activities. This re-evaluation needs to be undertaken not only with respect to the sponsor-CRO relationship, but also with respect to the data processing activities and responsibilities of third party vendors, and of clinical trial sites in the EU.

To read the full article, please click the PDF link below or click here.