This is the first post in a three-part series designed to provide a summary of some of the GDPR features that are likely to have the most substantial impact on healthcare/life science related businesses. (Links for Part Two and Part Three)
The clock is ticking: on May 25, 2018, in less than a year from now, the General Data Protection Regulation (“the GDPR”) will apply in all Member States of the European Union (“EU”) and will replace the Directive 95/46/CE (“the Directive”).
The purpose of the Directive was to protect the personal data of individuals to an extent that may seem surprising from a US point of view. The new regulation goes even further, since it is presented as “an essential step to strengthen citizens’ fundamental rights in the digital age.”
The GDPR is, as its title indicates, a “general” regulation which applies to the collecting and processing of personal data by all kinds of entities in all activities, including in the healthcare/life science sectors, whereas the US has a “sectorial approach” of data protection and a specific act (HIPAA) for health information.
Why You Can’t Ignore the GDPR
Healthcare/life science companies in the EU are already very much attuned to personal data protection as they handle sensitive data such as patients’ details and clinical trials subjects’ details. Adapting to the GDPR should be relatively easy for them.
Extra Territorial Effect
On the other hand, one of the major impacts of the GDPR is that it extends the application of European legislation to companies outside the EU. Basically, the Directive only applied to organizations established within the EU or which used equipment within the EU, but not to organizations established outside the EU even if they were conducting activities in Europe.
The GDPR has a much broader scope: it will apply to organizations established outside the EU that offer goods or services to individuals in the EU and/or monitor the behavior of data subjects within the EU (Article 3). In other words, even a US company will have to comply with the GDPR if it targets European consumers or monitors any personal data on European citizens.
Some US healthcare/life science companies not affected by the Directive will now have to comply with the GDPR. They may already have some familiarity with EU data protection rules, due to the requirements for data transfers outside the EU (i.e., the EU-US Privacy Shield or other tools, see below) if they received, for example, personal information collected in the course of clinical trials from a CRO established in the EU. However, the requirements will be more stringent once they are directly subject to European rules.
Data Transfer Outside the EU
The GDPR maintains the same requirements for data transfers outside the EU. Such transfers occur, for example, when persons located in the US have access to data stored in the EU. When personal data collected in the EU is transferred to the US a country which, from a European point of view, does not afford an adequate level of protection, important restrictions apply. Such transfer is forbidden except if the data exporter has taken certain precautions such as:
- Signing the relevant Commission standard clauses
- Adopting Binding Corporate Rules
- Certifying into the Privacy Shield scheme
The GDPR considerably increases the sanctions and penalties in the event of non-compliance. Under the Directive, sanctions were left up to the Member States, which led to discrepancies. For example, in the UK, the maximum fine is currently £500,000, whereas in France, it was until recently 150,000€. Under the GDPR, the maximum amount of financial sanctions is harmonized and increased up to 4% of the total worldwide annual turnover or 20 million euros, whichever is the greater (Article 83). Given this change, compliance with the GDPR should be taken all the more seriously.