News & Events


GDPR & Data Protection: Key Changes Drug Developers Need to Know About

GDPR & Data Protection: Key Changes Drug Developers Need to Know About
19 September 2017

This blog was written by Joshua Merkel, Manager, Information Assurance at Synteract

On May 25, 2018, the new General Data Protection Regulation (GDPR), is set to replace the current Data Protection Directive (DPD) as the European Union’s data protection law. Any company that handles personal data—including drug developers and those involved in clinical trials—will be affected by the new compliance requirements from the GDPR. Noncompliance with the GDPR can result in fines of up to $24 million (USD) or four percent of an organization’s worldwide revenue, necessitating that companies invest in GDPR compliance and data processing planning. And with changes expected to start next spring, no time is better to start preparing than now.

With privacy viewed as a fundamental human right by the EU, GDPR sets out to further protect personal information. Aimed at improving the existing Data Protection Directive (DPD) and the fragmented nature of data privacy laws amongst EU member states, the GDPR’s robust common baseline will apply to organizations worldwide.

The GDPR expands on and introduces new individual rights in several areas, including in protecting: 

  1. Personal data –An expanded definition of what constitutes personally identifying information goes beyond names, addresses, social security numbers, dates of birth, and bank account details to now also include location information, genetic data, and IP-addresses.
  1. Transparency - Tighter regulations help ensure individuals clearly understand how their data will be used and protected. Organizations will need to reevaluate business transparency practices and the process of properly obtaining individual consent to ensure compliance with the GDPR prior to collecting data.
  1. Access and rectification - Individuals can confirm with companies whether or not the organization is processing their data, and if so, what types of data are being processed. They also must be provided with more information in connection with a data access request, such as the data retention period, and have the right to complain to a data protection authority.
  1. Erasure - Under the GPDR, individuals can request their data be erased when it is no longer needed for its original purpose, when they withdraw their consent, and when erasure is necessary for compliance with EU or Member State law.
  1. Objection – individuals may also exercise their right to object to processing of their personal data with the GDPR. Unlike with the DPD, an organization must cease the objectionable processing unless a compelling legitimate interest exists or if the processing is needed to establish or defend against legal claims.
  1. Automated processing - As a prerequisite to automated processing, the individual(s) must provide explicit consent and the organization must ensure it has appropriate safeguards in place governing automated processing with the GDPR.
  1. Data portability - Individuals must be able to receive a copy of their personal data and to have it transmitted to other organizations.
  1. Restriction of processing - Individuals may force an organization to limit the use of their data in certain circumstances.

 The GDPR also sets new requirements for controllers and processors. A controller is an entity that dictates the manner in which personal data is handled. Processors handle the data according to the instructions set by the controller.

Controllers must implement technical and organizational measures that legally illustrate GDPR-compliant processing activities. Additionally, Privacy by Design requirements require that the company embed data privacy into all business processes and functionalities. Finally, a controller has only 72 hours to notify authorities of a data breach.

Controllers and processors are required to have specifically-worded contracts governing their relationships with the GDPR. These stricter data protection agreements may make supply chain agreements more complex.

GDPR requirements will apply to numerous organizations regardless of location. Companies must be aware of the new requirements and their roles in addressing them. Those that start planning now will be better positioned for the full rollout.

To understand how your CRO should prepare for GDPR requirements, please speak with Joshua Merkel, Manager, Information Assurance at Synteract.


Contact Synteract

Tell us how to stay in touch with you: