GDPR is just the golden rule with a new name20.04.2018
We’re no strangers to acronyms in the healthcare market research world; MR, AE, CL, TDI. ZINC, BHBIA, EphMRA… even our name, HRW, is an acronym. But lately there has been a lot of commotion over a new acronym; GDPR; General Data Protection Regulation, coming into effect across Europe. HRW head of operations and BHBIA ethics and compliance committee member, Yuliya Fontanetti, has been living and breathing GDPR and takes a step back to talk some plain language about these regulations and what impact they will really have on the industry:
‘Passion for compliance, ethics and guidelines.’ This describes me and my approach to working practices to a T, as a result (and for my sins, more than anything), I have fully embraced GDPR leading its implementation within HRW. What was really fascinating to me is that not a lot in this new regulation is new, well at least not to someone who has adopted gold standard approach to data collection already. Privacy risk assessment, for example, is in no way new (in fact it has been a tool created by Information Commissioners Office, ICO, way before changes in privacy regulation were even ‘a thing’) and has been previously discussed as the best, most straightforward way to approach handling personal data. It was not previously enforced, which is where the real change is.
Although in my view, it is a way of standardising, securing and finetuning our working practices and that is where the real value is. In the modern world, with information at our fingertips at all times, it is hard to imagine that such an important regulation has taken such a long time, but the world needed to change and the way personal data is handled needed to change with it.
GDPR in a nutshell
As the D day approaches, it is a good time to take stock of what we know so far and what else is left to do. Creating a plan of action and new processes is only a part of GDPR compliance. Implementing and enforcing it is quite the other. It is fascinating hearing stories from my colleagues across the industry about how their company is adapting to all this training: some are rewarding good behaviour, others are putting some adherence measures in place to make sure everyone who should be trained, actually is. Whichever approach your company takes, it is a necessary one.
Ultimately, adherence to guidelines, especially in healthcare space, has always been one of our prized achievements. We are all used to the process of informed consent, we are used to asking permission for processing and storing data and it is no surprise to us that particular use of data needs to be agreed with the data subject. However, what is new, is the real focus on individual’s rights. It is the individual, after all, that determines how we should be able to use their data, and rightly so. So, thinking about your project in reverse order, working backwards to what you’ll want at presentation of results right away at the research design stage! This is not rocket science, if you think about what you want to end up with in the end, you know which steps to take to execute it correctly. So for example, in MR terms, if you know that you would like to use video outputs of patient interviews as part of your presentation as well as for pharma company’s internal training – think about it first, discuss with pharma stakeholders about where that footage would be used, inform your respondent at recruitment and make sure you obtain necessary consent, let them know how, when and why their data will be used, who it will be seen by, where it is likely to end up and how securely it will be stored (and exactly how long). But also telling them what their rights are, be open about those, don’t try to quietly hide behind jargon, as long as respondents understand exactly where they stand and what they are sharing, they’ll be glad to know what’s happening with their feedback, and your job with regards to data privacy is near perfect.
Yes, having written processes for such a wide variety of situations is a slight overkill (having written a few of those processes in the last few months I know what I am talking about), however, if we did not have those, we would not be in the position to ensure the transparency required by GDPR. Essentially, writing these processes will not only demonstrate thought process behind them but also help with communication and implementation across our industry. Rest assured, these will evolve as time goes on so if you don’t think they are perfect – work on them, seek feedback and ideas from your peers and industry bodies, ask questions about how others are doing it and tweak yours if necessary. As long as we keep transparency and respondent rights at the core of our process, over time we will find the right words and process to make it feel like second nature.
What is personal data?
Interestingly, this is the question that seems to get asked a lot! Not because we don’t know what personal data is, but I guess, in the hype of this new regulation beaming on the horizon, we are questioning and overthinking everything. So, let’s simplify it:
The GDPR defines personal data as ‘any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.’
So, if you think about it in any layman’s terms, anything that is likely to identify a natural living being, is personal data. More importantly, those of us lucky enough to work in healthcare space also have an added bonus of dealing with “special category” sensitive data, aren’t we lucky!
All joking aside though, we need to remember that what participants tell us is pretty powerful information to obtain and not surprisingly, in the everchanging digital world, it is paramount for that data to be safeguarded and protected to the best of our ability. We as a company have an enormous amount of responsibility.
I always use personal analogy when it comes to compliance, it is not always everyone’s favourite subject, however, if we all treat personal data we encounter with the same care and attention as we would want our own handled, we should have no issues. It’s really just the golden rule with a new acronym.
Let’s look at some common changes to the research process by GDPR:
These must be explicit, informed and specific. No pre-ticked boxes, no assumptions (by proceeding with this questionnaire you agree…), no ambiguity. Treat your consents as one of the vital parts of your research materials, think about them at commissioning, discuss extensively with your client, specify retention periods, unless of course you already have these set out in Master Service Agreements and write them with your data subject in mind. Information you need for consents is quite extensive, but the information commissioner’s office has addressed the question of consent clearly: “You must clearly explain to people what they are consenting to in a way they can easily understand. The request for consent needs to be prominent, concise, separate from other terms and conditions, and in plain language. If the request for consent is vague, sweeping or difficult to understand, then it will be invalid. In particular, language likely to confuse – for example, the use of double negatives or inconsistent language – will invalidate consent.”
Record keeping is vital to GDPR compliance. Not just records of fieldwork agreements and consents, we are all used to those. But records of processes, activities and breaches (although we all hope that the latter would never happen). Keeping records helps keeping organisations accountable and determines their compliance with processing of personal data.
Obviously, how you keep those records is up to you, as long as it is with safety in mind. For example, if you are processing data on behalf of a company, you want to ensure that you keep records of your processing activities, giving your clients reassurance that when data is handled on their behalf, it is treated in the most secure and effective way. As we always have done, you want to make sure that you work with suppliers who are able to adhere to the same high standards you would expect of your own organisation. In this way, GDPR probably won’t change the way we collect and analyse data, but what we will have is a clearer electronic record of precisely when and who was involved.
What is next?
Naturally, thinking of what’s to come in the next few weeks is of immediate concern. But the world is not going to end on the 25th of May, in fact – it is just the beginning. The beginning of a new era of transparency and accountability. Whilst of course it is a major change for most companies, it is a welcome one, giving us as individuals more control over how our data gets used, stored and processed. Key to this is – once GDPR has been embraced across the board, we should all sleep better knowing that privacy, as our basic human right, is being safeguarded.
By Yuliya Fontanetti