Harmonising data regulation
On 25 May 2018, the General Data Protection Regulation (GDPR) will take effect, bringing with it enhanced data privacy protections for those residing in the European Union (EU) and potentially hefty fines for non-compliance. The new regulation provides data subjects with greater oversight on how companies process their personal data, where it is being processed, and the purpose of this, the right to obtain and transmit their data to another data controller, as well as the right for their data to be erased in certain circumstances. Among other measures, the GDPR will also require data breach notifications to be issued within 72 hours where such a breach is likely to result in a risk for the rights and freedoms of individuals.
One of the principal objectives of the GDPR is to harmonise data protection regulation across EU Member States. Ashley Williams, Associate at JAG Shaw Baker, says: “There are some welcome clarifications on conditions that were either ambiguous or where Member States may have taken divergent approaches.” One such example is pseudonymised data, such as key-coded patient data. “Under the current regime, they take a different approach across Member States as to whether that is personal data,” explains Williams. “The GDPR has clarified that is personal data and needs to be treated as such.”
While such harmonisation could provide some welcome clarity, certain aspects of the GDPR are expected to have a more direct and significant impact on the life sciences sector.
Increased data obligations
The new regulation places specific legal obligations on data controllers and data processors. The former determines the purpose, conditions, and means of processing personal data, and the latter processes personal data on behalf of the controller. Although controllers will be accustomed to complying with data obligations, companies that process data on behalf of others may be facing new ground, notes Williams. “Those players who previously had no direct obligations, such as CROs [contract research organisations] or certain digital health companies in their processing capacity, suddenly find themselves with direct obligations. Some range from quite simple obligations such as recording obligations, while others are a lot more onerous,” he adds.
In addition to these obligations, both controllers and processors who undertake the large-scale processing of sensitive personal data or large-scale systematic monitoring of data subjects’ behaviour may be required to appoint a Data Protection Officer (DPO). This would include a life sciences company whose core activity consists of processing health data on a large scale.
DPOs need to have certain professional attributes and skills, such as expert knowledge of data protection law, and they must not engage in tasks that could lead to a conflict of interest. As such, complying with the DPO requirement could necessitate additional resourcing, particularly for start-ups and early-stage life sciences companies. This might take the form of a new internal resource or external resource, such as a data protection consultant. Williams says: “What would be key for life sciences companies is making sure that if they are looking externally to fulfil that role, they have someone who has the right expertise because data protection in life sciences is probably one of the more complex areas for a data protection expert.”
Understanding GDPR and relevant exemptions
While Williams is positive about GDPR awareness levels among the life sciences sector compared to other industries, the issue for life sciences companies lies in understanding how the regulations will apply to them specifically. Williams attributes this in part to the difficulty in identifying relevant exemptions to the GDPR. For example, data erasure, also known as the right to be forgotten, could have a significant impact on certain stages of a company or product’s development, such as clinical trials. However, there are exemptions to this right that are of particular note to the life sciences sector. “Where the purposes are scientific research, and the right to erasure would render impossible or make the achievement of the objective impossible, then life sciences companies would be exempt from the subject being able to exercise those rights,” explains Williams.
Finding and understanding if and how such exemptions might apply or relying on further guidance on these exemptions to be issued by Member States, may pose a challenge. “Life sciences companies will still need to be very au fait with what each Member State is doing and what additional guidance they are providing around some of these exemptions,” Williams adds.
Developing a tailored action plan
The complexity of the life sciences sector presents a further hurdle for companies seeking to understand how the incoming regulation will affect them and the steps they need to take to prepare for it. Williams says: “Absolutely key to this is having a real understanding of your own data flows. What data do you collect? What is it used for? Where is it transferred? Who is it shared with?” A data mapping exercise, such as completing a data audit questionnaire, can help companies build a clearer picture. “You need to do that because you can’t really assess how the GDPR will apply to you until you have that very clearly mapped out,” notes Williams.
Once this exercise has been conducted, companies will better understand their risk profile and can develop a plan that is relevant to their operations. Williams adds: “What is really key here is making whatever compliance programme you adopt appropriate and tailored to your business.” As the GDPR implementation date of 25 May 2018 fast approaches, companies may wish to focus on addressing immediate risk areas and core external business operations first.
Life sciences companies must also establish whether they are a controller or a processor, as this will affect their course of action. Companies should take this distinction into account when it comes to contracts with third parties, says Williams. “[Companies] get given contracts that might say they are processing on behalf of another controller but actually that might not be the case, they might be a controller in their own right. So, that contract would not be fit for purpose and would hinder the relationship with the third party.”
Getting senior-level buy in
It is not just the measures that a company takes to address the GDPR that are important, but also buy in from the wider business as to how these measures are implemented. “Those [companies] that have senior buy in at every level seem to have much more momentum and a lot more force behind the compliance programme, as opposed to those where it is delegated down without full senior buy in,” says Williams. Having data champions across the business further demonstrates accountability, while also providing appropriate touchpoints.
Ultimately, a proactive approach to the GDPR is likely to be more fruitful for a business. As Williams notes: “What we’re seeing is that those companies doing well in respect of data compliance in the life sciences sector are those who are treating it as an opportunity to excel in a very important area: to demonstrate their commitment to data protection.”
Keeping data protection front of mind
While 25 May 2018 continues to loom large for companies, compliance will remain an ongoing issue. “The regulation is very much set up for continual renewal,” explains Williams. “When you introduce new technologies or carry out new processing activities, for example, then you need to carry out privacy impact assessments, which are like a mini audit, before you deploy that new technology or start that new processing activity.”
Of course, data protection is a much bigger issue than GDPR compliance alone, as has been demonstrated by the extensive media coverage of recent data privacy breaches. Reputational damage, and the risk this poses to share values, will also help to maintain data privacy as a priority for businesses, says Williams.
Brexit and GDPR
For companies with UK operations, it is worth highlighting that the UK’s decision to leave the EU will not impact the initial application of the regulation. The GDPR will come into force in the UK in May 2018 and is set to be converted into UK law through the European Union (Withdrawal) Bill upon its exit from the EU. Furthermore, the new UK Data Protection Bill, which is currently awaiting its third reading in the House of Commons, aims to ensure that the UK’s data protection provisions place it in a strong position pre- and post-Brexit.
In the longer term, however, companies could face increased complexity. “Currently, [the UK] benefits from being in the EEA [European Economic Area] and, therefore, transfer from one Member State to the UK is much easier because each is considered to have appropriate and adequate safeguards in place to respect data privacy,” explains Williams. “But when [the UK] is no longer part of that, the concern is if nothing is put in place then [the UK] may be treated as a third country, in which case international transfers to [the UK] will become more complex.” This could have a particular impact on clinical trial sponsors and CROs, for example, where activities are spread across multiple territories.
Cross-border transactions and activities in life sciences
Irrespective of Brexit, the new regulation has extra-territorial reach. This means that the GDPR applies to organisations that process the personal data of data subjects within the EU, even if the company itself is not located in the EU. Again, clinical trials provide a pertinent illustration of the practical application of the regulation in life sciences. Williams cites the example of a sponsor that is based outside of the EU, but that employs CROs within the EU to carry out clinical trial research. “Regardless of where the sponsor is located, if it is operating within the EU it needs to assess whether it is caught by these rules,” he explains.
As the spotlight on data protection has intensified, so too has the importance of this issue within corporate transactions. Williams says: “On the corporate side, both in investment and M&A scenarios, we are seeing much deeper dives from a due diligence perspective. Everyone knows this is a hot topic, so they are asking more and more questions, and are more willing to request more stringent contractual remedies for identified breaches.” In line with this, Williams has also noted an increase in data protection indemnities.
Data protection advice forms an essential part of the full range of services JAG Shaw Baker provides to the life sciences sector. Williams says: “At JAG Shaw Baker, we take the same approach that we pride ourselves on in every other area of our commercial and corporate offering, which is to make this as simple as possible, to make it appropriate for our clients to identify those key risks areas and, most importantly, to be able to provide market insight as to how the rest of the market and other players are reacting to these changes.” Given that a significant proportion of the law firm’s client base are start-ups and early-stage life sciences companies, JAG Shaw Baker also works to ensure that it helps clients prioritise and develop action plans according to the resources available to them.
This article was originally published by LSX on 20 April 2018. Tech law firm JAG Shaw Baker joined Withersworldwide in August 2018 to create a unique legal offering that meets the needs of entrepreneurs, investors and technology companies across the world.
