GDPR, What It Is, What Does It Change and What Do You Risk If You Are Not Compliant

GDPR, what it is, what changes and what do you risk if you are not compliant

Less than 3 months separate us from the moment the GDPR will become effective. It is therefore fundamental for companies to better understand what actually GDPR is and which consequences it will imply in their daily routine, especially in Life Sciences, industry characterized by an incredible amount of sensitive data.

What Actually is EU General Data Protection Regulation (EU GDPR)?

The EU General Data Protection Regulation is a set of more than 250 pages approved by the European Parliament, the Council of the European Union and the European Commission. The GDPR will replace the previous Data Protection Directive 95/46/EC from 1995. It is easy to understand, due to the technological innovation and the huge shift to a data-driven approach, why an update was more than necessary.

If you are asking yourself why should you be interested in GDPR, well, consider that it will imply a greater boost for compliance: fines up to €20M or 4% of global turnover.

What are the GDPR main objectives?

As stated in the homepage of the website, “The EU General Data Protection Regulation (GDPR) […]  was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”

The GDPR objectives are therefore 3:

  1. Increase homogeneity of data privacy laws in the Euro area, this might be directed especially to those organization working in multiple countries;
  2. Ensure that EU population is conscious of the data organizations obtain about them and how they will be used;
  3. Deeply reorganize the way companies collect, manage, analyze and share data.

Despite the different actors involved it is easy to spot the global comprehensive pattern that lays under the  New Privacy Regulation: these pages concern the rights of the individuals over the personal data, explaining how they can be obtained, what can or can not be done with them and how the organization must guarantee their protection.

What is Personal Data?

The Article 4 provides a wide definition of Personal Data which include:

  • Name, address and unique identifying numbers (IP address, cookie strings…);
  • Demographics—age, gender, income…;
  • Behavioral data — web searches chronology, purchase history…;
  • Social data—your friends’ list, emails, messages…;
  • Sensor data—biometrics, health tracking devices…;
  • User-generated content — videos, photos, blogs or comments.

Concerning only personal data, the GDPR do not consider anonymized data, there is although a big BUT: if data, even anonymized ones, can somehow lead to an individual (for example by the combination of different data sources), then this information is defined as personal.

The actors involved in the GDPR

Who is or What constitutes a Data Subject?

GDPR defines the data subject as a natural person, which could therefore, be your customer, employee or, concerning clinical trials, your patient.

Who is or What constitutes a Data Controller?

The Data Controller a “natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”  It has therefore to be considered the company at the beginning of the data request workflow.

In Life Sciences industry it can be identified with the sponsor, the Academic Institution or the Contract Research Organization (CRO).

Who is or What constitutes a Data Processor?

The Data Processor is “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” Those entities who actually handle the personal data under the mandate of the controller, for example, IT companies that manage or administrate a client’s database.

The Geography of The GDPR: Which are the Controllers and Processors involved?

One of the biggest changes introduced by the GDPR is the extension of the regulatory jurisdiction. In fact, if any one of the following 3 conditions is met, than the entity must be GDPR compliant:

  • The data controller is based in the EU (regardless of whether the processing takes place in the Union or not);
  • The data processor operating is based in the EU (regardless of whether the processing takes place in the Union or not);
  • The data subject is based in the European Union.

In other words, if you or any link of the chain is or passes through the European Union, than it is required GDPR compliance (sponsors, CROs, patients participating in the trials are all involved).

Why is Consent the Key of GDPR?

As stated on, there has been a great increase in the conditions for consent in order to prevent companies to use “long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form” including the purpose for data processing attached to that consent.

Consent is only valid when actively given, this means no pre-ticked checkboxes are accepted. The subject must be also able to withdraw the consent at any time.

How Does GDPR Empowers EU citizens?

As stated in the previous paragraphs, the Regulation introduces a brand new set of rights for the data subjects to enhance information management. These include:

  • Access & modification: Subjects must be able to access their data and modify it.
  • Right to erasure: Subjects can request the cancellation of their data when it is no longer necessary for their original purpose.
  • Portability: subjects must be able to request and have from the controllers all personal data they obtained, in a portable format.

What Do You Risk If you are not GDPR Compliant?

The GDPR penalty section is extremely clear, the paragraph 6 of Article 83 states: Non-compliance […] shall, […], be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover […], whichever is higher”. This represents the maximum fine that can be imposed and it applies to the most serious infringements: lack of sufficient customer consent to process data or violating the core of Privacy by Design concepts.

Concerning compliance, a few words must be spent on the controversial breach notification: GDPR requires companies to communicate to the Data Protection Supervisor if a breach has occurred within 72 hours from the event, which, as stated by Richard Stiennon on Forbes, means that you have 3 days to:

  1. Determine what happened.
  2. Put in controls to stop it from happening again.
  3. Figure out how to communicate it.

Of course, the path to compliance is no easy duty, a comprehensive plan involving many different departments must be put in place in order to ensure an efficient deployment before May 25th. Life Sciences companies, be they pharmaceutical companies, biotech, CROs or Research centers must include in their strategy all the possible means to prevent personal data from being used in the wrong way, especially if concerning their patients’ identity.

Sources & Further Info

Follow us on Twitter