The Life Sciences sector is used to constant regulatory change. However, the next few years are about to see major new legislation in the EU that could result in major disruption to Life Sciences, Pharmaceutical and Healthcare companies – wherever they are.
As I mentioned in my previous blog, I’m going to concentrate on two large pieces of legislation in this blog – the EU General Data Protection Regulation (GDPR) and the EU Medical Device Regulation (EU MDR) – and look at the information management challenges they present.
To say that the regulatory environment for Life Sciences in Europe is challenging would be an understatement. It feels like the EU parliament decided to deliver all the new regulations at once. In the case of the GDPR and EU MDR, the new regulations are the first significant updates from directives created in the mid-1990s.
It would be difficult enough to prepare for these two big changes, but this is really is only the start. In addition, the European Medicines Agency (EMA) Clinical Trial Regulation and the EU Falsified Medicines Directive (EUFMD) comes into force in 2019. After that, the EMA has begun a phased program to implement ISO IDMP standards for the identification of medicinal products. In addition to complying with the individual regulations, you need to carefully consider the interplay between them. So much to consider, but in this blog I will focus the discussion on the GDPR and EU MDR regulations.
The General Data Protection Regulation (GDPR)
The GDPR has hit the headlines for the fines that can be applied to organizations for data breaches – up to €20 million or 4% of annual global turnover, whichever is higher. The new regulation increases the need for transparency, security and accountability of organizations processing data, while strengthening the rights of individuals to be better informed about how, and why, their personal data is being used. It applies to any organization that processes or monitors any personal data of people resident in the EU – even if the organization is not based in Europe.
The new regulation provides a very wide definition of personal data. Of particular interest to Life Sciences is the fact that the definition includes genetic and health data for the first time. Both genetic and health data are defined as ‘sensitive’ by the GDPR and the regulation places more responsibilities and accountability on those data controllers and data processors handling sensitive data – which will include almost all Life Sciences and Healthcare companies.
At the same time, the GDPR gives the individual much more rights over their personal data. The right that has received the most exposure is the ‘right to be forgotten’ where the individual can request the deletion of all of their personal data held by an organization. This may be challenging for Life Sciences companies – especially where subjects in a clinical trial asks to have their data deleted – although the GDPR does include a series of exceptions to allow for medical and scientific research.
The major GDPR stipulations that affect Life Sciences include:
Article 5 of the GDPR sets out the principles or the processing of personal data (11). In addition to ensuring the accuracy of the data and transparency of processing, it establishes the organizations should employ data minimization to make sure that they hold the least amount of data on a person for the shortest possible time. This a large change for Life Sciences companies accustomed to creating and retaining large amounts of information for clinical, production and marketing activities.
The article also makes clear that, where data is retained, it should be made unidentifiable as quickly as possible. The GDPR introduces the concept of ‘pseudonymization’ – the process of separating personal data from direct identifiers so that linkage to an identity is not possible without additional information that is held separately. Many Life Sciences companies already use coded data but this is likely not to be enough for GDPR compliance.
For the first time, both the data controller and data processor are responsible and liable for personal data. In a clinical trial example, the Pharmaceutical sponsor would be the controller and the CRO would be the processor. However, this example highlights another challenge for Life Sciences companies as, in this situation, the sponsor and CRO could equally be considered ‘joint controllers’. It is essential that the exact relationship is clearly established and set out in contractual terms.
GDPR will force every organization to review and amend their consent procedures – including consent records management. Informed consent forms lie at the heart of activities, such as clinical trials, but your current forms are unlikely to be sufficient.
Under the GDPR, consent has to be a freely given, specific, informed and unambiguous indication of the person’s wishes. It can be validly obtained through methods such as a written consent for or clicking an ‘I consent’ button. In all cases, the consent form needs to contain the following information:
- The specific purpose for the processing
- Where the data is to be processes – especially if in a third country
- Where possible, the duration of time that the data will be held
- The fact that the person can withdraw their consent at any time
All consent terms must be written in plain language – especially when on forms with non-consent related information – and it most be clear that consent was granted without an imbalance of power affecting the decision, such as a doctor forcing a patient to sign up to a clinical trail.
Cross-border data transfer
Previously, European data protection legislation only applied to organizations that collected and used personal data if they were based in the EU or had processing equipment within the EU. Now, the GDPR applies to all organizations – wherever they are – that process data on EU residents.
The situation becomes more complex when the processing of personal data happens outside the EU. The GDPR stipulate that it can only occur in third countries whose data protection requirements meet GDPR standards.
This means that organizations have to be careful about where personal data is processed within their organization and along its value chain.
Data Protection Officer (DPO)
There are only a few instances of where the GDPR mandates the appointment of a Data Protection Officer (DPO). One of those is where the organization is handling sensitive data – such as health or genetic data. The role of the DPO is extremely comprehensive and, where possible, should be a full time position. The DPO is responsible for driving GDPR compliance throughout the organization, training all staff and acting as a point of contact for the regulatory authorities. As almost all Life Sciences and Healthcare organization work with sensitive data, it is sensib
le to appoint a DPO as quickly as possible.
There’s a great deal more that all Life Sciences organizations need to understand about the GDPR. View our GDPR in Life Sciences webinar for more insights.
EU Medical Device Regulation (EU MDR)
Analyst group EY describes EU MDR as ‘a complex change program – a paradigm shift even – after which nothing will look quite the same’ . The EU MDR came into force in May 2017 and the industry in currently in a three years transition period. The new regulation is designed with two key objectives in mind. First, it aims to increase patient safety. As importantly, it increases the transparency with the business operations and supply chain of medical device manufacturers to build public trust.
Manufacturers should take time to understand the how their technical architecture will help them respond to and comply with EU MDR provisions, including:
Technical files and documentation
Many technical files are currently sub-standard and issues often missed by Notified Bodies. EU MDR prescribes a detailed format for technical documentation for the first time. All products information – whether for new or legacy products – will need to follow this format. Essential requirements have now become General Safety and Performance and all checklists will need to be revised. All product and product family files will require some level of conversion and need to be to carefully checked.
Clinical trials and evidence
The requirement for in-depth clinical evidence increases hugely under EU MDR – especially for Class III and implantable devices. For example, clinical investigations will be mandatory for all Class III applications and stored in systems inter-operable with a new version of the European Clinical Trials Database (EudraCT) and a robust process is required to update Clinical Evaluation Reports (CERs) with Post-Market Clinical Follow-Up (PMCF) data. Indeed, all products will require more focus on Post-Market Surveillance activities.
Device assessment and classification
The definition of medical devices has been significantly modified under the EU MDR. More devices – previously excluded – are now covered and the information of existing products is likely to need updating or changing. Detailed information such technical files, clinical data and product traceability requirements have to be considered. The new EU MDR requirements – such as the need for extra clinical trials data – may lead manufacturers to rationalize their product portfolios.
UDI and Labeling
Product traceability is key to EU MDR. The introduction of a Unique Device Identification system – likely to be similar to the system already implemented in the US – will allow you products to be tracked from production to patient. Manufacturers will have to add UDI information all product on EUDAMED and importers will have to add their details to product registrations. In addition, the regulation stipulates much more rich data be included on product labels. Manufacturers must ensure that all appropriate data is related to the product for effective labeling. and that information is correctly displayed on product labels, supporting materials and the corporate websites.
Post-market surveillance and vigilance
The EU MDR places great emphasis on post-market surveillance and there is a clear expectation that manufacturers will implement systems and processes around clinical vigilance, field safety corrective actions and trending activities to allow for fast remediation where product issues are identified – especially for Class III and implantable products. New electronic vigilance forms are likely to be introduced to correspond with the timeline for the reporting of serious incidents being slashed to 15 days. The required submission of Periodic Summary Updates (PSUR) – combining post-market surveillance, clinical and risk-benefit assessment data – adds to the administrative and cost burden of post-market surveillance for medical device organizations.
EU MDR is comprehensive and complex. Come to our webinar to receive more detailed insights on how EIM assists with MDR compliance.
Compliance: It’s an EIM issue
Complying with these new regulations is really an Enterprise Information Management (EIM) issue. In both cases, you need to be able to know what personal data you have, where and how it’s stored and processed, who owns and who uses it and whether it’s exchanged with third parties – especially when they are outside the EU. That’s almost impossible without an enterprise-wide EIM platform that can quickly identify the personal data you hold, automatically tag and categorize it, ensure that all relevant processing data is related to it and ensure it’s managed under your information security policies and procedures – including disposal.
In my next blog, I’ll take a look at two more pieces of EU legislation that will set to disrupt the Life Sciences sector – the implementation of ISO IDMP and the eIDAS electronic signature regulation.