CHICAGO (GenomeWeb) – The long-awaited General Data Protection Regulation is now the law across the European Union.
It's a major deal for many reasons, not the least of which is the heavy penalty for noncompliance. Willful violation of GDPR could carry fines as high as €20 million ($23.6 million) or 4 percent of a company's annual global revenues. But the regulation also standardizes data flow and consent rules within and between all 28 EU member nations, as well as with any outside interests that do business with EU entities or hold any data on European citizens.
Unlike the privacy and security rules of the Health Insurance Portability and Accountability Act (HIPAA) that have been in place in the US since the early 2000s, the GDPR affects more than just the healthcare and life sciences industries; it applies to electronic data of all kinds. That explains why so many global consumer and business e-commerce and data companies have for the last several months been sending updates to their privacy policies, all with an effective date of May 25.
The regulation grants individuals three broad rights: the right to know who controls their data — including the name and contact information of a designated data protection officer — and for what purposes; the right to object to certain commercial uses of their data; and, perhaps most significantly, the right to be "forgotten" by an entity that holds their data.
There are degrees of responsibility placed on the data controller for sensitive data like genome sequences, according to Giuseppe Testa, head of the Laboratory of Stem Cell Epigenetics at the European Institute for Oncology in Milan, Italy, and Luca Marelli, a research fellow at the Catholic University of Leuven in Belgium, who is studying the politics of biomedical innovation in the EU. The pair co-authored a paper on GDPR in Science this month.
"It could make the flow of data indeed much simpler," Testa told GenomeWeb. "But there are more responsibilities."
GDPR could actually promote abuses of data if not followed properly, according to Marelli. "The key thing will be the implementation," he said.
The rule evolved over more than a decade, as EU regulators studied privacy laws in various member countries and beyond. Nino Da Silva, executive vice president of genomic data analysis company BC Platforms, noted that Sweden, Finland, and the UK, as well as Australia, served as models for parts of GDPR.
Finland, for example, has had a biobank law in place since 2013 that requires donors to give specific consent for their samples to be used for research. Sweden has given every citizen the right to control their own medical and biological data and to request a copy of their health records at any time.
"I think GDPR actually brings us further on, because it also [gives] the right to become forgotten," da Silva said.
"One of the main principles of the GDPR is the consent, and the consent is scrutinized much more carefully than the Data Protection Act," the 1998 predecessor to GDPR in the UK, said Paul Jeffreys, head of digital operations at the London-based Institute for Cancer Research.
"You have to have the ability to remove consent if the individual requires it. There is a whole set of related issues about consent that has been given in the past and what [it means] now," Jeffreys said.
"The basic idea is that the data is owned by the person, and it is used by the company only because the person consents to that use. If a person wishes to retire from a service, or to simply withdraw the consent because they just don't want to be associated with that company anymore, they have the right to ask to be withdrawn from the servers," explained BC Platforms Chief Technology Officer Anni Ahonen-Bishopp.
"Off of that point, the company or entity is not allowed to use the data or refer to it or even store it. It's not just a matter of removing a person from mailing lists. It is the actual withdrawal of the data as if the person doesn't exist anymore from that company's point of view," Ahonen-Bishopp explained.
GDPR "is person-centric, so you need to be aware that you are working on somebody else's property," Ahonen-Bishopp also noted.
In life sciences, there are exceptions to the consent rule for scientific research.
"As regards consent, the GDPR also provides a breathing space for research activities that will certainly be useful. It recognizes that it is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects will be allowed to give their consent to certain areas of research or parts of research projects when in keeping with recognized ethical standards for scientific research," according to a summary from two Paris-based attorneys from US-European law firm of Foley Hoag.
This is similar to but narrower than the HIPAA "treatment, payment, and healthcare operations" exemption in the US.
GDPR contains another exemption for anonymized data, though the age of genomics creates a bit of a gray area.
"There is a subtlety that even if it's completely anonymized, if it's a significant fraction of the genome, in principle, you can reverse-engineer back to the individual, so it becomes personalized again," Jeffreys noted.
This is true even with nongenomic information. Latanya Sweeney, director of the Data Privacy Lab at Harvard, showed back in 2004 that 87 percent of US residents can be successfully identified with just three pieces of information: date of birth, gender, and ZIP code — information often readily available in hospital discharge and demographic data.
Jeffreys said it depends on how GDPR is enforced, but it appears that European regulators will treat anonymized DNA data as personal information if a significant portion of the genome is involved.
"I don't know where you draw that line," Jeffreys said. "I think it will be a bit like a legal system. It will require somebody to be challenged and a case made on that basis. I don't think anybody is going to come up and tell you what it is."
The scale of the dataset matters as well, Jeffreys said. "If you had one or two [genomes] and you handheld those datasets through the system and checked every moment, it would be different than if you had thousands going through. Again, nobody will tell you what, precisely, it is, but we are building what we call a data safe haven in ICR to deal with this personal data."
This data safe haven, as defined by the GDPR, deals with both infrastructure — hardware, software, and controls — and policies and procedures.
"The infrastructure part is, 'How do you encrypt your data at rest, in transit? How do you build your access controls? How do you show the datasets can be deleted totally, even though you are backing them up?'" Jeffreys said.
"The other part is, 'How do you do your auditing and how can you show that?' Data has to disappear and users have to show that it has disappeared."
In April, NHS Digital, the IT division of the UK's National Health Service, updated its online privacy and security self-assessment tool to meet GDPR standards by issuing a new system called the Data Security and Protection Toolkit.
ICR is developing its policy document around this toolkit, which is about the best it can do. The NHS and other health authorities across Europe have determined that data users, not the authorities themselves, "own" decisions around data, according to Jeffreys. "There is no way to get anyone to accredit [the policy document]," he lamented.
The document will "include things like 'it must be accessible at a fine grain, but with very strong controls that you must have the ability to delete the data if requested,'" Jeffreys said. "It's not as if you have to drastically change everything that you have been doing."
In some ways, life sciences companies and institutions have had an advantage in moving toward GDPR compliance because they always have dealt with sensitive information. Only in the wake of the Cambridge Analytica scandal involving Facebook data did many consumers wake up to the reality that personalized information stored online isn't always being used in their best interests.
For ICR, most of the work in the past year has been policy-related, because the institution has been dealing with sensitive data for years and didn't need all that many technology upgrades. The London institute has been working on GDPR compliance for more than a year, but only recently started training its staff, Jeffries said at the annual Bio-IT World conference in Boston earlier this month.
Similarly, clinical genomics interpretation software vendor Congenica from Cambridge, England, has had ISO 27001 certification for data security and information governance since 2016, easing the transition to GDPR. "If we hadn't been ISO-certified, it would have been a problem," CEO David Atkins told GenomeWeb.
As with HIPAA, enforcement of GDPR largely will be complaint-driven and based on intent.
"If we can show that we are moving in the right direction, there will be leniency," Jeffreys said. "What we are trying to do is put in place the data protection officer and put in place our policies," he said.