Three things life scientists need to know about GDPR

Sensitive personal data is sits right at the heart of the life sciences sector. It’s only right, therefore, that careful attention is paid to ensuring this information is handled with care and managed properly.

The way in which those two criteria are met is changing. The European Union’s General Data Protection Regulation (GDPR) is refreshing the 20-year-old rules that currently govern the way data is collected, held and used. GDPR comes in on May 25, with businesses in every industry now facing a challenge to prepare themselves for the change.

The rules are pretty clear when it comes to what is covered too. For the avoidance of doubt – and there has been a debate on this in some circles – genetic and biometric data is classed as ‘sensitive personal data’. Even pseudonymised data – information which is protected by a key code for example – is treated as personal data and falls under the remit of GDPR.

People in life sciences shouldn’t be daunted by this. This is, after all, an industry that is well versed with adapting to regulatory frameworks from a scientific perspective – GDPR is merely an extension of this from a data perspective.

So, other than the fact that it is coming, what do people in life science need to know about GDPR?

Consent is crucial

The importance of ‘consent’ is central to the changes being brought in with GDPR. People will now have to give permission for their data to be taken and used and the consent they give has to be ‘freely given, specific, informed and unambiguous’. Basically, companies will have to be much more explicit with the data they take, how they will use it and where they will use it.

As Biotech and Money notes: “This poses considerable challenges to life sciences companies as any restrictions on processing personal data could have serious impacts on life sciences projects, especially clinical trials. The GDPR is also very prescriptive as to what must be included within privacy notices, such as details of retention periods, the legal basis for processing and notification of the enhanced rights.”

It doesn’t necessarily matter if you’re not in the EU

You might be tempted to write this off as a European Union legislation, especially if your work is largely centred around the life sciences hotspots of the United States. However, while it’s true that this is an EU initiative, it’s wrong to think that the scope doesn’t go further.

Lexology notes that there are four groups of companies that will be affected by GDPR. These are:

• Those that have an ‘establishment’ in the EU
• Businesses that offer goods and services in the EU (for life sciences this could mean clinical studies or the production of pharmaceuticals)
• Companies that profile or monitor the behaviour of people in the EU (such as healthcare studies)
• Businesses that work with third parties and contractors who themselves need to comply with GDPR (this might be CROs running clinical studies for example).

Mistakes could be very costly

If you needed a further incentive to take GDPR seriously, then a quick look at the potential costs of an error with this should offer all the persuasion needed.

Fines for failing to handle and manage data properly could total €20 million or four per cent of a company’s annual worldwide turnover, whichever is highest (against showing how the scope goes beyond EU boundaries).

If everyone in the life sciences becomes aware of the cultural change surrounding data capture and use, the full scope of GDPR and the price of a mistake then that’s a highly useful starting point and marks the beginning of a conversation that every company needs to be having right now. From there, it’s crucial to obtain specialist training and update working practices where necessary to ensure the regulations are being adhered to.