On May 25, 2018 EU General Data Protection Regulation (GDPR) came into effect. U.S. clinical product development companies, including Data Controllers (collect personal data from EU resident) and Data Processors (process personal data of EU residents on behalf of data controllers) in the United States, may be subject to the GDPR if they offer products or services to EU residents or if they monitor the behavior of such residents even if they do not have a physical presence in the EU.
Think you’re not impacted, think again, the California Consumer Privacy Act (CCPA) of 2018 was passed on 28 June 2018. The rights given to California consumers in 2020 are much like the rights provided in the European Union’s General Data Protection Regulation (GDPR).
Both GDPR and CCPA subjects non-compliant businesses to expensive fines, class-action lawsuits, and injunctions. We can expect with California taking the lead that more states will follow.
Even if your product is still under development and you are using or collecting clinical data to inform your design, despite patient consent, you are still subject to these laws.
Here are steps toward compliance:
Develop a privacy protection implementation plan – Define the scope, approach, requirements, definition of protected data, use environments, training, deliverables and timeline. Focus on high-level protections first.
Conduct data landscaping – Map the entire workflow of protected data flow (both physical and electronic) when at rest, during storage and while in motion. Consider all touch points such as accessioning, collection, use, sharing, storage, monitoring, and deletion of such data.
Conduct a risk assessment – Using the protected data flow, identify current controls in place and identify all potential security and privacy risks/threats to the data. Consider external, internal, third parties and environmental factors. For each risk/threat identify a control measure to protect the data.
Evaluate existing and establish formal compliance procedures – Formally document all control measures in procedures such as physical security, information systems security, handling of regulated data, consent requests, data retention and managing breaches.
Implementation – Implement via policy and/or using information technology (password protection, encryption, anti-virus) to implemented control measures defined in formal compliance procedures.
Verification – Conduct initial and periodic verification and audit of risk control measures such as physical security, firewall, OS/application patching, anti-virus updates etc.
Implementation Report – Keep an updated report which can be presented as an evidence of data protection compliance for regulatory bodies, development partners and consumers.
Contact BeanStock Ventures for a free assessment and quote: email@example.com.
BeanStock Ventures has over 19 years’ experience developing complaint and meaningful products in the healthcare industry.