All magazines from February 2019
Chairman’s Letter The EU GDPR: A game changer for scientific research and health science The "lost generation" of scientists News from the MCAA
Load More

The EU GDPR: A game changer for scientific research and health science

 

The General Data Protection Regulation (GDPR) rules started to apply on 25 May 2018. They will fundamentally reshape the way data is handled across every domain, particularly health science.

 

Declan Kirrane is Chairman and Managing Director of Intelligence in Science (ISC), a Brussels-based advisory firm specialising in science, technology, R&D research and policy. After the GDPR entered into force in 2016, ISC organised an influential seminar that mainly gathered experts, EU policy- and decision-makers, and representatives from research organisations, industry and advocacy groups. They explored possible implications of the GDPR on the operation of R&D and science, and on collaborative EU research.

ISC organised “The Impact of the General Data Protection Regulation (GDPR) on collaborative science in Europe” seminar. What were the main outcomes?

The main result was a better appreciation of the enormous complexity in understanding GDPR’s impact on science. Initially, its impact wasn’t considered a priority during the proposed Regulation’s concept stage. Of course, most people understand that the GDPR’s impact will just be on the use of sensitive personal data, for example in health research. Very few people realise that for instance location data is personal data, too.

Specifically, the outcome of the meeting was a realisation that for any organisation to be compliant with the GDPR, they would in principle have to abide by a code of conduct. Article 40 states that Member States, supervisory authorities, the Board and the Commission shall encourage the drawing up of codes intended to contribute to GDPR’s proper application. They will take into account the specific features of the various processing sectors and needs of micro-, small and medium-sized enterprises.

There’s also the question of monitoring and enforcement. The issue of monitoring bodies arises in Article 40(4) and then 41, i.e. whether a monitoring body is a mandatory requirement in order for a code to obtain approval. The current position is that this will be the case. A second issue that’s linked is the accreditation of a monitoring body, and this is another area that needs to be resolved. However, there appears to be some flexibility amongst data protection authorities on this issue. Perhaps a less stringent approach may be posited that will consider a pragmatic view to appropriately accommodate the variety and composition of associations that may be interested in drafting and seeking approval for their code both at national and European levels. This in turn may balance out the mandatory requirement of having one in the first instance.

 

What is the GDPR’s impact on scientific research overall, and health science in particular?

GDPR is a great opportunity for Europe. It’s one important part in developing this common European data space according to the Single Digital Market strategy. You need a defined and secure environment to share data. Without such an environment, you can’t share. GDPR was a major step towards developing this common European space for sharing data.

I think the end result is a good compromise for protecting the privacy and interests of data subjects, but at the same time giving enough flexibility for the research we need. GDPR definitely strengthens the rights of the data subject in terms of giving rights to know which data is using this process, the right to receive, to correct and delete data. This is very important, especially in medical research.

By the way, this also opens completely new innovation business fields in the context of health and health services because medicine today really relies on using different types of data. Without data, you can’t diagnose a disease or treat a patient. When patients don’t have access to their disease and health-related data, they can’t seek independent advice or a second opinion. As a result, they can’t choose the most appropriate care. So this right is key for opening the health market to citizens. Without this power to access your own data, you can’t exercise these rights and the autonomy of free healthcare choice. This of course provides entirely new opportunities for new products, new services and so on, so this has major implications.

On the classical research side, the GDPR’s Article 89 created a common basis for research in Europe and in the health domain, as well as research requiring access to sensitive data. The good thing is it’s now a common European basis. It gives some freedom and flexibility because it explicitly foresees that research can be performed even without specific consent which sometimes isn’t possible or affordable, and would undermine the scientific goals of a project. However, in this case we have to take proper measures to protect the data subjects’ privacy and interests. This is done by anonymising data and/or removing identifiers as early as possible in the research process, and setting up the technical and governance safeguards to protect such privacy and interests. If you do it properly, then you have the freedom. The downside of this is that Article 89 gave some freedom to Member States to further define how it gets implemented and aligns with national laws. As a result, we’re observing different implementation, and this to some extent counteracts and undermines the common basis which was a major goal and achievement of GDPR. So it’s good to have a common basis, but the drawback is that some important issues were delegated to Member States in the end. Here we see again a new level of heterogeneity in this European framework.

 

What is a major GDPR challenge ahead for the EU, and how can we overcome it?

A challenge for the future is data access. The way we analyse data will be very important for driving research, innovation, health and the economy. Without these capabilities, one can’t participate in this development. I see here a very heterogeneous global landscape. I think it will be a challenge for Europe, first of all to provide data in a standardised way because if data isn’t standardised, if you can’t define data quality, it’s essentially rubbish. Particularly personalised medicine, you can’t compensate rubbish with massive data

because this will completely hide the distinct features of an individual disease that’s key to personalised medicine. Therefore, data quality is absolutely crucial, and we need to standardise our procedures and establish criteria on how to define data quality. Next, when we have data, we need the capacity to analyse it. This is where I see a global imbalance when it comes to the capacities of large-scale data analysis. The big companies aren’t in Europe.

 

Kirrane works very closely on GDPR issues with Kurt Zatloukal, an authority on the subject. Zatloukal, MD, is a professor of pathology at the Medical University of Graz and head of the Diagnostic and Research Center for Molecular BioMedicine. He coordinated the preparatory phase of the European biobanking and biomolecular research infrastructure (BBMRI-ERIC), and is now director of its Austrian national node. BBMRI-ERIC provides access to human biological samples and associated medical data. GDPR is of key relevance to BBMRI-ERIC, which has been involved as a stakeholder in its development. BBMRI-ERIC is currently working on a code of conduct for implementation in biomedical research. Zatloukal is a member of the scientific board for genetic testing and human gene therapy at the Austrian Ministry of Health, and a member of the Austrian Standards Institute, CEN and ISO technical committees. He’s also a project leader for several European and ISO standards for pre-analytical processing of tissue samples for molecular diagnostics.

 

 

REGISTER