Privacy laws are changing on the 25th May. Are you ready?
On 25th May 2018 the European Union’s new data protection law, the General Data Protection Regulation (GDPR), comes into force with immediate effect and it will have a far- reaching impact on companies worldwide.
If you or your company handle personal data of any kind you will most likely be affected.
From May 2018 companies will have to implement a long list of changes in order to comply with GDPR or face strict penalties.
What is the GDPR?
The GDPR supersedes the existing Data Protection Directive (DPD) and provides common data privacy laws for all EU countries to follow.
The GDPR will apply to organisations worldwide, not just those in the EU. These new directives bring a significant amount of changes and additions to what was required under the DPD.
What are the changes brought about by the GDPR?
- Increased scope
- New, broader definition of “personal data”
- Tighter transparency regulations
- Expansion of individual’s rights to access, right to complain, right of erasure.
- New rights introduced- data portability and restriction of processing
- New requirements of controllers and processors of data
- New penalty structure for non-compliance
What are the new high penalties? What is the cost of compliance?
If a company is non-compliant, potentially they can be subjected to fines greater or equal to £18million ($24million), or 4% of an organisations worldwide revenue.
There are significant implications for an organisation’s budget to enable them to become GDPR compliant. There are the obvious costs of becoming GDPR ready i.e. changing data storage systems and processes, employment of consultants and legal counsellors etc.
One key position required by the GDPR is a data protection officer (DPO) so organisations will have to ensure they have recruited to this key position in time for its implementation.
What are the implications of the GDPR for the drug development industry both in the EU and the US?
The EU recognises privacy as a fundamental human right and therefore personal information is highly protected. The US doesn’t have this same strict approach to data protection but the GDPR will force global organisations to adhere to this EU standard.
GDPR will apply equally to all organisations subjected to it, regardless of where they are located in the world.
In a clinical trial, Sponsors and Investigators are most likely to be the controllers as they are the ones who collect data from trial subjects. CRO’s and vendors are most likely to be the processors as they are the ones processing trial data.
These roles should be defined clearly at the start of the trial so that controllers and processors can agree responsibilities and ensure compliance with the GDPR requirements.
It is important for an organisation to understand its data flow: Where is it going? Where is it stored? On what kind of system? There needs to be an organisational understanding of what constitutes personal data and how sensitively each type of data should be treated.
Global organisations need to establish how to integrate the GDPR into their existing data privacy programs, considering global regulatory frameworks such as US state-specific laws and Asia-pacific laws.
To be a truly global company and keep up with the market leaders, organisations will have to work out how to expand current DPD programs to ensure compliance with GDPR, this will be significantly more difficult in countries like the US where data privacy and data privacy protection is in its infancy.
To be a truly global market leader, all members of the organisation will need to understand and conform to GDPR.
The proper handling of personal data is a legal requirement and of upmost importance in protecting patients and employees who are maintaining the integrity of a clinical trial.
To ensure your compliance with GDPR, why not check out our website at www.trainingonline4u.com and take our comprehensive GDPR course today.
Search your perfect course