6 Key Insights on GDPR in the Health Sector
We would like to thank again our speakers Eric Hoechstetter, Jean-Pierre Anzévui, the KOAN law firm team and our senior associate Sara Dousset for sharing their knowledge and experience on the GDPR implementation in the health sector as well as our guests for their valuable insights and questions. We also want to thank the Association of Corporate Counsel (ACC) for helping us organising this event.
The 6 key insights below reveal the complexity and remaining uncertainties of this subject and list some of the challenges the health sector professionals will need to address.
We encourage you to connect directly with our senior associate Sara Dousset who assists our clients in the health sector and is a Certified Information Privacy Professional/Europe (CIPP/E). Click here to discover her profile and resume.
1 – Competence of the Member States
Despite the intention to harmonize data protection in the European Union through the GDPR, the residual competence left to Member States creates difficulties especially in the health sector. The issue is delicate in particular for multicenter research trials, given the application of several different national laws and a lack of clarity concerning the definition of some terms.
2 – National pharma-friendly legal frameworks
Some Member States, such as Belgium, have the intention to create a pharma-friendly legal framework, relying on Article 89 paragraph 2 of the GDPR allowing them to derogate to some of the data subjects’ rights for scientific research (e.g. by extending derogations to private research). This should be considered by Swiss companies when selecting a Member State in which they will designate their European Representative.
3 – Consent for clinical trials
To collect consent for clinical trials, it is necessary to separate the consent form for data processing from the usual informed consent form (ICF).
4 – Audit of the data processors
One of the consequences of self-regulation and accountability provided by the GDPR since 25 May 2018 is that controllers not only demand their processors to comply with the GDPR in their contracts, but they increasingly conduct audits of their processors to ensure compliance before entering into contracts.
5 – Uncertainties
Four months after implementation, as expected, uncertainties remain. For example, it is still unclear whether re-consenting is required for participants to clinical trials enrolled prior to implementation of GDPR and whether it is possible to rely on other legal bases for pursuing data processing when a data subject withdrew his/her consent.
6 – Notification of breach
In the context of clinical trials implying CRO/vendors in different states, notification of breach within 72 hours may be extremely difficult to comply with considering the necessary underlying transfer of information (e.g. notification period to the controller ; translation of documents).