Some laws govern the use of crosswalks; others, how to clean up after our pet in public spaces.
Then there’s the EU General Data Protection Regulation (EU GDPR).
Now, safety considerations, not to mention lawful conduct, urge us to cross the street along designated paths. (Just as common courtesy persuades most of us to scoop up our terrier’s natural fertilizer from the sidewalk.) But we all let distraction or the rush of the workday get the better of us from time to time. The costs of ignoring the law are small in this case. Rules against crossing a street outside of a crosswalk are rarely enforced here in the United States. If law enforcement does catch us in the act, punishment ranges from a warning to a small fine.
A repeat violation of the EU GDPR, on the other hand, could cost the guilty party 20,000,000 Euro.
So how do you stay in between the lines when it comes to this regulation? Knowledge is the best defense, so without any further ado, here are the basic facts you need to know.
What does the GDPR aim to accomplish?
To quote the homepage of eugdpr.org: “The EU General Data Protection Regulation (GDPR) … was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy, and to reshape the way organizations across the region approach data privacy.”
This is vague, but the second clause does highlight the regulation’s main purpose; namely, “to protect and empower all EU citizens’ data privacy.” Harmonization of data privacy laws may be a boon to data-gathering entities operating in multiple EU countries. But given the amount of text proclaiming the rights and freedoms of data subjects (or stating the duties of data controllers and processors in upholding those rights and freedom), the motivation of the GDPR is clear. This regulation is about individuals’ rights over information about themselves; when it may be obtained, how it must be protected, and what may or may not be done with it.
Chapter 1, Article 1 of the official regulation (“Subject-matter and objectives”) makes this clear in more legal-sounding language:
1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
2. This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
3. The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.
What is “personal data”?
Article 4 sets out 26 definitions, and it’s no coincidence that “personal data” is the first: For the purposes of this Regulation:
1. ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Worth noting is the reference to “an online identifier”. The regulation considers IP addresses and cookie strings personal data.
But a legal-sounding definition doesn’t capture the sanctity with which personal data is regarded in the EU. With the exceptions of sensitive health and financial information, data about a person in the U.S. is subject to the principle of “finders keepers” (de facto if not by de jure). Corporations routinely lay claim to personal data through an obscure “terms of use” page on their website, or the failure of a customer to explicitly deny the corporation the right to collect his or her data. In Europe, personal data is an aspect of personal dignity. The GDPR is, among other things, an insistence on this cultural fact in light of an increasingly global and data-driven economy.
Who is obligated to follow it?
The GDPR casts a wide net. All persons or organizations that are reasonably construed as either a “data controller” or “data processor” (regardless of whether data control or processing are that entity’s primary function) are subject to the regulation, if any one of three conditions apply.
Who or what constitutes a “data controller”?
The “data controller” is the “natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.” Typically, this is the entity at the top of the “data solicitation chain”; in the area of clinical research, the sponsor, academic institution, or CRO/ARO.
Who or what constitutes a “data processor”?
The data processor is “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” Those who play any role in the administration of a database, including software vendors in those cases where the database is digital, are data processors.
What are the conditions under which a data controller or data processor is bound by the GDPR?
If any one of the following conditions obtain for a data controller or data processor, that entity is bound by the GDPR:
- The data controller is based in the European Union (regardless of where the data subject is based)
- The data processor operating on behalf of the data controller is based in the European Union (regardless of where the data subject is based)
- The data subject is based in the European Union
Practically, the safest default assumption is that your research operations are bound by the GDPR. If any participant in your study resides in the EU, or any link in the chain of data custody passes through the EU, or your organization is based in the EU, the GDPR’s applicability is clear.
What must those persons or entities do?
GDPR mandates are best thought of as duties that data controllers and processors have in upholding the rights of data subjects. Articles 12 through 23 enumerate the rights of the data subject. No summary is adequate to convey all of the particular rights, and for that reason it is incumbent on all data controllers and processors to read, understand, and abide by practices which uphold these rights. But for the purposes of this primer, we can think of these rights are granting persons the following powers and assurances.
Powers
- To provide only those elements of personal data they agree to provide, having been fully informed of the purposes and risks of the data collection
- To provide such data only to those entities he or she wishes
- To rectify or request the erasure of their personal data
- To access the personal data collected from them in a readable and standardized format (note that this does not necessarily mean in a native spoken language)
- To contest significant decisions affecting them (e.g., those of employment or legal action) that are computed solely by an algorithm operating on their personal data
- To seek legal redress for the failure of a data controller or data processor to respect these powers or to maintain the following assurances
Assurances
- The data subject shall not be identifiable from the personal data, through use of secure pseudonymization protocols (e.g. assigning an alphanumeric identifier to either a data subject and/or an element of their personal data, from which publicly identifying information such as the subject’s name, NHS number, address, or birthday cannot be deduced)
- The data subject will be immediately informed of any breach of their data privacy
- The data subject’s personal data shall be consulted and processed only for those those purposes disclosed to the data subject as part of obtaining his or her informed consent
- Data controllers shall request from the data subject only those elements personal data that are essential to the purposes made explicit during the process of informed consent (i.e. data minimization)
What duties do these powers and assurances incur for data controllers and processors? The concept of “data protection by design and default” is useful, if general, place to start. Before data collection begins, data controllers and processors must establish and document systems and practices that:
- make it clear to the data subject which elements of their personal data the controller or processor is requesting, and for what purposes
- make it clear to the data subject which persons or entities will have access to their data
- maintain the privacy of personal data, e.g., through pseudonymization, data encryption, physical security, etc.
- prevent the collection of data that is immaterial to the purpose of data gathering
Which sorts of systems and practices qualify as achieving those aims? The answer the regulation gives is, unfortunately, something of a placeholder. Article 42 offers data controllers and processors the opportunity to “certify” their data protection mechanisms, but the certification bodies and requirements for certification are all unspecified. (Paragraph 3 even states that “the certification shall be voluntary.”)
For better or worse, data controllers and processors seem to bear the burden of selecting – and justifying to unspecified “certification bodies” – the technical criteria by which the GDPR will assess their data protection measures.
This is perhaps both a problem and an opportunity. Better that minimum encryption standards, for instance, go unspecified (for now) than be made to conform to some arbitrary decree. As data controllers and processors, we can take an active role in establishing these and other criteria in a way serves data protection and efficient data flow.
When does the regulation go into effect?
The regulation becomes effective on Friday, May 25th, 2018. This is a universal implementation date: national governments do not have authority to legislate a later (or earlier) effective date.
Who is in charge of enforcing it?
The European Parliament, the Council of the European Union and the European Commission are the governing bodies with respect to the EU GDPR.
What are the penalties for non-compliance?
If you’re looking for concreteness among all the abstraction of the GDPR, look no further than Article 83, “General conditions for imposing administrative fines.” All nine paragraphs set forth factors in arriving at a sanction for negligence or willful violation. But paragraph 6 will continue to attract the most attention: “(6) Non-compliance […] shall […] be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.”
Is that all there is to GDPR?
Unfortunately no. If regulatory compliance were as easy as nodding along to a blog post, we’d never hear of violations. Then again, we’d hear about a far more, and more severe, privacy breaches. Remaining compliant with all of the regulations than bear on clinical research may be a logistic burden, but it’s the right thing to do. You wouldn’t knowingly expose a patient (or their identity) to harm, but that’s what non-compliance amounts to: thousands of seemingly minor risks that make at least one catastrophe almost inevitable. So continue to educate yourself. We’ll help in that effort with a series of blog posts that begins with this one. And if the moral imperative of compliance doesn’t motivate you, consider the impact that non-compliance could have on your business or organization. You really don’t want to step in this natural fertilizer.