How EU GDPR Affects Collection of Biometric and Genetic Data

As we look toward the new European Union General Data Protection Regulation (GDPR) which takes effect this week, we expect some of its provisions to affect U.S-based life sciences companies conducting clinical trials at EU sites, particularly related to the collection of genetic and biometric data.

GDPR governs how data controllers and processors are permitted to engage with the personal data of EU citizens.  The new legislation differs from the former controlling legislation, the Data Protection Act, in some key ways. GDPR is broader in scope than the previous directive meaning that, as of May 25, 2018, even non-EU based companies will be subject to more extensive regulation.

GDPR implements a new extra-territorial rule, so that no matter if a company is based in the EU or not, it is still bound by GDPR if certain criteria are met. For example, even if a data controller (i.e., a sponsor) or processor is not established in EU, they will be bound by GDPR if they’re processing the data of individuals within the EU. Sponsors in the U.S. may now find themselves obligated by the GDPR privacy protections where they were not bound before. Member States are also free to impose further restrictions on the processing of health-related data.

The life sciences industry and clinical studies are clearly reliant upon the data that are collected from participants within clinical trials. GDPR introduces new, explicit privacy protections for such health-related data.

GDPR specifically categorizes genetic and biometric data—which is the type of health data upon which clinical trials largely rely—as “sensitive personal data”. Under GDPR, the processing of genetic or biometric data is prohibited unless an exception applies. In the clinical trials context, an exception that might commonly apply is gaining the consent of the data subject.

In an effort to protect the interests of individuals where an imbalance of power could occur or the possibility of serious data protection risks exist, GDPR has heightened the standard of consent to mean “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or clear affirmative action, signifies agreement to the processing of personal data related to him or her.”

This definition will provide the framework for sponsors gaining the necessary explicit consent from individuals who are considering joining a clinical study, such as via a written statement or informed consent contract.

As we approach May 25, 2018, sponsors must ensure that all informed consent contracts are compliant with GDPR and meet explicit consent standards as well as all other contractual obligations so that all prospective participants are protected and the sponsor is in compliance.

Contracts Associates has been working to help our clients navigate this new regulatory framework. Our team of attorneys has the deep experience and expertise necessary ensure that all of your informed consent agreements meet the higher bar that GDPR has introduced. We help our clients minimize the risk of penalties by updating contracts and providing reviews to ensure that all informed consent language is GDPR-compliant. If you haven’t yet contemplated how GDPR might change affect your study, please contact our CEO, Colleen Sproul, at cms@contractsassociates.com or call 781-598-8000 so that we can help guide you.