In light of the seemingly constant reports of data breaches, hacking, and the unauthorized dissemination of personal data, data protection and security are increasingly important compliance issues in virtually all industries. This is particularly the case in healthcare, where sensitive patient health information is collected, aggregated, transferred and stored across the globe.
Many countries have updated and refined their data protection laws and regulations to ensure that personal data pertaining to consumers (and patients) is adequately safeguarded. As you likely are aware, in the European Union, there is a sweeping new law called the Global Data Protection Regulation (GDPR), which goes into effect on May 25, 2018. The GDPR was signed into law by the European Parliament in April 2016, and, among other things, is intended to help harmonize the requirements for the protection of personal data pertaining to residents of the European Union and European Economic Area.
The scope of the GDPR is much broader than the existing data protection laws in that region, and applies to any organization worldwide that collects, processes or stores E.U. personal data, irrespective of whether the organization has offices or employees in the E.U. In addition, the GDPR expands the potential for hefty monetary penalties and other enforcement for companies falling within its scope that fail to comply. Specifically, the fines can be up to 4% of the organization’s global annual revenue, or 20,000,000 euros, whichever is higher.
How is Continuum preparing to comply?
The GDPR including its preamble is a huge document—more than 250 pages of detailed regulatory information. The requirements include a number of new obligations, stronger rights for individuals, and a 72-hour breach notification obligation.
As the deadline for GDPR approaches, we want our partners to be aware of the company-wide efforts Continuum is undertaking to be compliant with the new regulations and incorporate them into our existing global data protection framework. With assistance from our highly experienced external data protection counsel, who sits on a team with the E.U. regulators and those of many other countries across the world, we have established a cross-functional team to address our GDPR compliance. Among other things, we have conducted a detailed review of our current practices and are updating them to ensure solid GDPR compliance before the May 25th deadline. Barring any unforeseen circumstances, we also plan to certify to the U.S.-E.U. Privacy Shield framework before that date. In doing so, we will be streamlining the data transfer compliance requirements between Continuum and our clients for transfers of E.U. personal data to the U.S.
Among other things, as also required by the GDPR, we are ensuring that our third-party partners sign data processor agreements, have put in place a new training program for our workforce members, are updating our notices and consents, and are implementing new policies and procedures. Our corporate-wide efforts are fully supported by our management, and our board of directors is closely overseeing this initiative.
As noted above, the GDPR applies not only to healthcare organizations, but all businesses worldwide that collect, process or store E.U. personal data. As such, we are also ensuring a high level of compliance for our marketing teams and the activities that they engage in relative to the E.U., including, for example, our wide array of market research and other e-commerce and offline offerings. Our external counsel is helping us ensure that we are informed about the adaptation of the GDPR into E.U. member state laws, as well as the evolving data protection landscape in other countries, which is partly triggered by the GDPR. She is also keeping us advised about the ePrivacy Regulation in the E.U., which will impact the data protection obligations relating to eCommerce and marketing.
In conclusion, our mission has been, and remains the same: achieve and sustain the position of being the most effective, thorough patient recruitment partner possible. We recognize the importance of data protection and security as a foundational component of that goal, and our business operations. As such, we have prioritized our understanding and incorporation of these regulations into our corporate culture and practices.
The framework Continuum has put in place will allow us to better serve our sponsor partners when questions arise about GDPR as it relates to patient recruitment and clinical trials. Though we don’t write consent forms, develop protocols, or collect and store data, we have assembled a team of experts in this area, who also have substantial expertise in U.S. and global clinical trials and adverse event reporting, so that we may advise on these aspects of a study. We strive to help our partners be as efficient as possible and minimize study start-up timelines while remaining fully compliant and patient-centric in everything we do.
We plan to provide additional details about specific aspects of the GDPR as it relates to patient recruitment and clinical trials and compliance as part of a larger series about patient data privacy.
If you have any questions about GDPR as it relates to clinical trials and patient recruitment, please email our privacy team and we will work to answer your questions.
