1. If your compliance program isn’t working, fix it
Life sciences and health care companies may be in a better place than unregulated companies since there is already a compliance infrastructure, but this sector was probably as much affected by the rush to prepare for the EU General Data Protection Regulation (GDPR) as others. Different departments, divisions, product lines or even regions may have had responsibility for helping to deliver the project and this first year has probably resulted in lessons being learned as GDPR compliance has been operationalized. Year 2 provides:
- An opportunity to prioritize various functions, such as clinical trials and consent, obligations in relation to post-market surveillance requirements, and the interaction with the GDPR
- An opportunity to benchmark against long-awaited guidance from the European Data Protection Board and various supervisory authority decisions, as well as time to reflect on what works and what can be improved
- An opportunity for life sciences and health care companies to focus on governance and their roles as controllers and processors for the different products and services offered
- An opportunity to focus on the real risks and focus on risks in the next steps along the compliance journey
2. Consent: children, users, clinics and HCPs
Breaking down the types of consent required and when it is appropriate to obtain consent can be difficult. Certainly the guidance on the interplay between the EU Clinical Trials Regulation and the GDPR was helpful, but as yet there is no guidance on the requirements related to post-market surveillance or on the EU Medical Devices Regulation and EU Intro Vitro Diagnostic Medical Devices Regulation, particularly whether certain analytics requirements under these regulations results in the processing of personal data whether consent would be required. Nor is there guidance about children’s consent in relation to clinical trials and whether extra steps are required. Where life sciences and health care companies offer digital services, the most recent draft of the Information Commission Office’s children’s code of practice may prove helpful in terms of age-appropriate privacy-by-design considerations, but where products have been on the market for some time, such as patient monitoring and management tools, companies may have to take these considerations into account in their next updates.
For clinics and health care professionals (HCPs) the line between consent and provision of a product subject to contract is also not always clear, especially when an HCP or small clinic is considered a sole trader and has the same rights as consumers and users/patients. Determining where consent is appropriate may be worth revisiting in year 2, particularly bearing in mind that consent may not be the easy or most appropriate legal basis for processing data.