We’ve heard about the impending legislation that’s shaking up the marketing and business worlds and causing all of those “We’re updating our databases” letters and “privacy notices” that keep dropping through our letter boxes, but what does it mean for researchers?
The date that the changes to the data protection law come into force is 25th May 2018, which is very close now, so we need to be sure about what changes we’re making and who needs to make them if we’re to stay legal.
Is it time to panic? Well, it depends on how much preparation you’ve already done but even if you haven’t done much about it yet, don’t give up. You need to get your thinking caps on quickly but it’s not too late.
What’s it all about?
Let’s get one thing straight, GDPR is a good thing.
The laws governing how businesses store and process personal data are being tightened up to drag them into the 21st century and the main aim is to clarify ownership of that personal data. It’s owned by the person to whom it relates and they are having their rights clarified in law. This will benefit all of us in our general lives.
In the medical research industry we’ve been very hot on informed consent for several years due to the Human Tissue Act – although the Data Protection Act is also applicable and GDPR is an extension of the DPA. So, in theory, if we’re operating best practice then this won’t be a radical change.
What about BREXIT?
The General Data Protection Regulation (GDPR) (EU) 2016/679, while being a European Union regulation is being enshrined in British law. It will be law in May 2018 and it’s very unlikely to change after BREXIT. If we don’t keep it then no EU countries will be able to share sensitive data with a UK institute and that’s bad for UK research and UK business.
The main points
The main changes are that all personal data collection and processing must be opt IN rather than opt OUT and individuals have much more control over how their personal data is used.
The rights enshrined in the law are:
1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erase
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights in relation to automated decision making and profiling
What’s the minimum we need to do?
· Check online guidance – there’s a lot of good stuff online, starting with the Information Commissioner’s Office
· Know your responsibilities
· Update your Standard Operating Procedures
It’s worth talking to your database or clinical management system supplier or look at having a system implemented. Using Excel or self-built systems can be a false economy as compliance can become very time-consuming and responsibility for data management, auditing and encryption/anonymisation lie with you.
With a bit of focus you can get your processes tightened up and be compliant in time for the deadline but don’t forget about it thereafter. Compliance gives the additional benefits of clearer processes and better data quality so you can look at it as a win-win!