General Data Protection Regulation
What was the purpose of the EU-US privacy shield framework?
To support cross-boarder data transfers by businesses from EU member states to US The company adheres to these principles including: Notice, choir accountability , access and resource, enforcement and liability The company has certified that it adheres to this to the US department of commerce
which of the documents at the company comply with GDPR requirements
MSAs, site agreements, feasibility documents and CDA templates, ICFs
What does GDPR permit EU member states to introduce?
more specific provisions in a number of areas including employee data processing. Therefore, local data protection laws need to be considered
The GDPR applies to the processing of personal data:
1. By EU establishments where personal data is processed in the context of the activities of the establishment (regardless if processing occurs in EU) 2. By non-EU establishments where person data about EU data subjects is processed in connection with: a. Offering goods or services to Data Subjects in EU b. Monitoring the behavior of data subjects that takes place in the EU
What is GDPR
An EU regulation that is directly applicable as of 25 May 2018 Replaces and repeals the Data Protection Directive Designed to harmonize
What is Processing
Any action or set of actions performed on Personal Data including the collection, recording, storage, use erasure and destruction of personal data
Example 1: Company processes many types of personal data from clinical trial patients, which may include sensitive personal data such as health data. Who is the Data Processor and who is the Data Controller?
Company is Data Processor Sponsor/Site are Data Controllers
Example 3: Medpace processes personal data of its employees. Is the Company a Data Processor or a Data Controller?
Company is a Data Controller?
Example 2: Company processes personal data from vendors, consultants, investigators, site staff personnel, and other third parties. Is the Company a Data Processor or a Data Controller?
Company may be Data Controller or a Data Processor
Who is subject to significant administrative fines?
Data Controllers and Data Processors
Rights of Data Subjects
Data Subjects have the right to obtain confirmation from a Data Controller as to whether or not the Data Controller is processing Personal Data relating him or her Company is generally a Data Controller for its employees personal data Company is usually not a Data Controller of a study patients' personal data, instead the sponsor or site is the data controller If the data controller does process the data subjects personal data, it must provide the data subject with access to a copy of the person data and supplemental information as set forth in the GDPR
Who submits SARs ?
Data subjects
Company has committed to respecting whose privacy and rights?
Employees Clinical Trial patients Sponsor personnel Investigators Site Staff personnel Vendor personnel and other Third parties
What happens if you become aware of accidental or unlawful destruction, loss, potential loss, alteration or unauthorized disclosure of or access to any personal data
Immediately report it
What is the cost of infringement
Infringement of certain provisions of the GDPR could result in fines up to 20,000,000 euros or up to 4% worldwide annual revenue of the prior financial year, whichever is higher
What principles must be complied with when processing personal data?
Lawfulness, Fairness, Transparency Purpose Limitation Data Minimization Accuracy Storage Limitation Integrity and Confidentiality Accountability
Who does as Data controller notify if there has been a personal data breach
National supervisory authority and in certain instances the data subject. a. National supervisory: Required to contact without delay and in any event within 72 hours of becoming aware of the breach b. Data controller: without delay after becoming aware c.
Is GDPR expected to have a major impact on the company?
No
Should personal data be written down?
No
What is a Data Controller
Party that determines the purposes and means of the processing of personal data
Integrity and Confidentiality
Person Data must be processed in a way that appropriately ensures its security Personal Data must be protected from unauthorized and unlawful processing and from accidental loss, destruction and damage Appropriate technical and organizational security measures must be used to ensure this. These measures may include encryption, training and physical security
Purpose Limitation
Person data must only be collected for specified, explicit and legitimate purposes Personal data must not be further processed in any manner that is incompatible with those purposes The company processes personal data for: a. employee data related to employment b. personal data of individuals (including patients, and investigators) involved in clinical trials for purposes of conducting the clinical trial c. contact information for business communications and marketing
Accuracy
Personal data must be accurate and kept up to date (when necessary). Reasonable steps need to be taken to ensure that inaccurate person data is erased or rectified without delay
Data Minimization
Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which it was processed Only collect what you really need
Lawfulness, Fairness, and transparency
Personal data must be processed in a L,F,and T manner in relation to the data subject Data controller must only process person data on the basis of one of the legal grounds set forth in GDPR T is new element to this principal and is now an express obligation. a. more detailed info provided to data subjects when processing their personal data b. information that must be provided to data subjects is explicitly listed in GDPR and includes the relevant basis relied upon to legitimize the processing
Storage limitation
Personal data must not be kept in a form which permits data subjects to be identified for longer than is necessary for the purposes for which the person data is processed Personal data may be stored for longer periods if it will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes provided that the appropriate safeguards required by the GDPR are put in place
What is a SAR
Subject access request any request made by or on behalf of a data subject regarding his or her personal data which may have been processed by an organization They do not need to be formal requests not does it need to be in a particular form Any request regarding personal data could be a SAR Data subject who might request SARs to the company include investigator, site staff personnel, company employees, third party vendors, consultants and clinical trial patients
Who is a Data Protection officer
The individual that is primarily responsible for ensure that an organization is processing personal data in compliance with GDPR and for monitoring compliance with GDPR
How does the company comply with data protection laws?
They have policies and procedures in place to protect personal data
What are the conditions for obtaining consent
a. it must be freely given, specific, informed, and unambiguous indication of the individual data subject consent to the processing of his/her personal data b. affirmative action or a statement - it cannot be assumed by inaction. Silence, pre-ticked boxes or inactivity do not constitute valid consent c. Consent requests must be presented in a clearly distinguishable intelligible and easily accessible form using clear and plain language d. The data subject must have the right to withdraw consent at any time and it must be as easy to withdraw consent as it is to give
What is a Data Subject
any identified or identifiable natural person to whom personal data relates
What is Personal Data
any information relating to a Data Subject, such as name, address, email address, phone number, photo, education, employment details, location data and online identifiers. All information relating to an identified or identifiable natural person
How is personal data received by the company handled?
carefully and in a manner that protects the privacy of the data subject
When should SARs (subject access request) be reported
immediate If unclear, it should still be sent Corporate affairs will respond everyone is responsible
Processing sensitive categories of personal data
it's subject to more stringent conditions for processing. This includes data about: racial or ethnic origin, Political opinions, religious or philosophical beliefs, and trade union memberships, genetic data, biometric data, health data, and data concerning an individual's sex life or orientation Processing of data relating to criminal convictions, offenses, and processing of natural identification numbers are typical subject to stringing conditions under EU member state law
Accountability
the Data Controller is responsible for, and must be able to demonstrate compliance with the data protection principles of GDPR Specific measures must be in place : a. implementing appropriate data protection / information security policies b. taking measures to meet the privacy by design and by default principle c. executing data processing agreements with data processors d. maintaining internal records of processing activities e. carrying out data protection impact assessments f. appointing data protection officer g. cooperating with data protection supervisory authorities upon request (Data Processors also have an obligation to implement some of the above listed measures)
What is a Data Processor
the party that processes personal data on behalf of a data controller
Why does GDPR regulate and restrict transfers of person data outside of the EU
to ensure that there are adequate levels of protection that are essentially to those of the EU Transfers outside of the EU and subsequent transfer are only permitted if certain conditions are met
What is the purpose of DPIA?
to identify and mitigate high risk data processing Customers or sites may request DPIA forms to be completed by the company.
When is a Data Protection Impact Assessment required
when data processing is likely to result in a high tide to the rights and freedoms of natural persons ex. the archiving of personal data from research projects or clinical trials Company has submitted a DPIA
When can Personal Data be processed
when it is necessary for performing a contract or to take steps at the request of the data subject prior to entering into a contract