Impact of GDPR on Clinical Research
Focus Area: Current Project
Focus Area: Global Regulatory Engagement
The European Union’s General Data Protection Regulation (GDPR) took effect on May 25, 2018. The regulation governs the processing of personal data of individuals located in any member state of the European Economic Area (EEA) or personal data processed in the context of an entity’s establishment located in an EEA member state. Personal data are defined broadly as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.” The law had an immediate impact on clinical research generally and multi-regional clinical trials specifically.
The GDPR applies extraterritorially in a broad range of circumstances and has disrupted US-based research as the privacy regulations in the US differ substantially from those of the EEA. Mark Barnes, MRCT Center Faculty Co-Director and Partner at Ropes and Gray, has led an effort to understand the key issues and implications of the GDPR on multi-regional clinical trials, clinical research, and public health. The effort seeks to define the issues, establish a dialogue with the European Commission and European Data Protection Board (EDPB) to illuminate problematic provisions of the GDPR and their impact, and develop solutions (if possible) and guidance to assist industry- and academic-sponsored research.
Current Status: Active
Devise common solutions to the issues facing the global research community under the GDPR while simultaneously allowing primary and secondary research to be conducted in a manner that is consistent with relevant ethical and legal requirements.
- Identify, explain, and discuss key problems that the GDPR has introduced for the global research community on clinical research, biobanking, and data banking, as well as big data research.
- Highlight the major challenges and ambiguities that the GDPR presents for regulators, industry, academia, IRBs/research ethics committees, and researchers.
- Engage with the European Commission and EDPB to explore potential solutions.
- Share preferred operational practices in each of these areas.
- Identify where further guidance or explanations (e.g., FAQs) would be helpful.
- To be planned: 1-hour session via conference line to discuss recent developments
This project has included a broad multi-national and multi-stakeholder group including government, industry, and academia. A series of expert meetings has occurred to date including:
- July 30, 2018:Application of the GDPR to Research: Legal, Practical and Strategic Implications: The MRCT Center convened over 110 representatives from academia, industry, and government. The conference explored the impact of the EU GDPR on human subjects’ research, biobanking and data banking, and big data research. A letter summarizing the findings was sent to the European Commission Directorate-General for Research and Innovation with a copy to EMA, NIH, and others.
- November 8, 2018: Research Roundtable focused on further GDPR developments including the possibility of collaborating to develop a Code of Conduct.
- January 2019:MRCT Center sent a letter to the EDPB commenting on the EDPB’s November 2018 draft guidance on the territorial scope of the GDPR.
- February 2019:Mark Barnes and colleagues at Ropes & Gray published an article discussing the challenges in the EDPB’s February 2019 opinion on the intersection of the GDPR and the EU Clinical Trials Regulation.
- May 2019: Mark Barnes attended a meeting with the Irish Data Protection Commission to discuss the challenges the GDPR poses to the research community
- Mark Barnes, JD, LLM,Faculty Co-Director, MRCT Center
- Barbara E. Bierer, MD,Faculty Director, MRCT Center
- David Peloquin, JD,Ropes & Gray LLP
Contact information: email@example.com