Why hiring a DPO with a Life Science background?
Data Protection Officer (DPO) with life science background – an added value for the healthcare and life sciences sectors
June 5 2023
EU General Data Protection Regulation (GDPR) issued the concept of Data Protection Officer (DPO) which, under specific circumstances can be a legal obligation for a company/institution. However, GDPR does not provide precise prerequisite expertise of DPO’s as. Being a DPO is not necessarily having a legal professional background. In addition to legal and technical (information system and data security) expertise in the field of data protection, a DPO must have a good knowledge of the processing operations carried out in the companies/institutions. This is the case in the healthcare and life sciences sectors, understanding data processing operations related to clinical activities is important.
This knowledge is necessary to correctly analyze the risks to the freedoms and rights of data subjects whose health data being processed, and to ensure the implementation of appropriate technical and organizational measures to protect subject’s privacy. A DPO with a life science background can bring added value by providing insights into the technical and organizational aspects of data processing activities, ensuring scientific appropriateness of data protection policies and procedures, and acting as a strategic advisor on data protection matters in the life sciences sector. Combining those skills with a lawyer can bring insight into the complex environment of privacy and compliance.
Appointing a DPO is mandatory for companies/institutions performing clinical trials
EU GDPR issued the concept of DPO which is a legal obligation to appoint under specific circumstances (Art. 37 GDPR). The appointment of a DPO is based on the type of data processing activities, rather than on the type or the size of the company/institution. The decision to appoint a DPO is important for any organization that handles personal data.
The core activities in frames of clinical trials always imply processing of sensitive personal data of participants. The participants in clinical trials might be healthy volunteers but most of them are patients, adults, older adults, or children. Patients and children (or minors) are considered as vulnerable data subjects and fall under special categories of data (Art. 12, Recital 38 and 58 GDPR). Processing special categories of data is allowed under certain conditions and need implementation of additional security measures. Furthermore, clinical trials have a broad geographical extent and include operations that require regular and systematic monitoring of the data subjects on a large scale (recital 97). Therefore, appointment of DPO is a legal obligation for the institutions or companies performing clinical research (Art. 37 GDPR).
The added value of a DPO with life sciences background for companies/institutions performing clinical trials
GDPR does not state that a DPO must have a legal professional background. The definition of GDPR regarding DPO’s expertise is broad:
- “The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.” (Art. 37 (5)).
- “The necessary level of expert knowledge should be determined in particular according to the data processing operations carried out and the protection required for the personal data processed by the controller or the processor.” (Recital 96 GDPR).
Therefore, the definition of DPO’s knowledge is not limited to data protection laws. The data protection Working Party, an independent European advisory body on data protection and privacy, issued guidelines on DPOs (WP 29) stating that an important professional quality is “Knowledge of the business sector and of the organisation of the controller. The DPO should also have a good understanding of the processing operations carried out, as well as the information systems, and data security and data protection needs of the controller”.
When making the decision to appoint a DPO, companies/institutions should consider factors such as the amount and sensitivity of the data they handle, the potential risks to data subjects, and the complexity of data processing activities.
It is also important to ensure that the appointed DPO has the necessary expertise and resources to effectively carry out this role and it includes the following:
– knowledge of the general organization of a clinical trial and the data flows between the actors including study subjects.
– knowledge of the best practices for handling and protecting data (e.g., Good Clinical Practices (GCP) and other related regulations (Clinical Trial Regulation (CTR), Medical Device Regulation (MDR), In Vitro Diagnostic Medical Device Regulation IVDR, etc.).
– knowledge of specificities related to pharmacovigilance, safety, and post marketing surveillance.
– knowledge of appropriate handling of data: companies/ institutions specialized in life sciences manage different types of personal data including genomic data, clinical data, and pre-clinical data. A DPO with a life science background would be able to understand specific challenges of managing and protecting these types of data and identify potential risks and vulnerabilities.
– knowledge of industry-specific threats such as intellectual property theft, cyberattacks, and breaches of patient data. A DPO with a life science background would understand the flow and be able identify these threats and develop strategies to mitigate them.
– efficient communication with stakeholders including healthcare providers, researchers, regulators, patients, and data protection authorities.
Considering the nature, scope, context and purposes of processing as mandated by Art 39 (2) GDPR the knowledge of activities related to life sciences and healthcare is compulsory for understanding the data processing operations. Therefore, a DPO combining the knowledge of GDPR together with expertise in life sciences is an advantage.
DPO’s ongoing professional development is also key to bringing value and credit to their role. This can include attending conferences, attending relevant courses and getting certified, staying up-to-date on emerging trends and best practices in data protection and privacy, publishing articles on topics talking life science and data protection. Professional development opportunities can help enhancing the DPO’s knowledge and skills, which can ultimately bring benefit to the organization.
Joined forces and increased collaboration of DPOs and lawyers for a successful compliance
The reality of a compliance department is very complex. Besides EU GDPR, national data protection regulations exist in each EU member state. In addition, EU companies/institutions conducting clinical trials outside the EU/EEA must comply with national privacy laws (UK GDPR, FADP, PIPEDA, LGPD, APPI, PIPL, etc.).
The laws are permanently revised, and, for a DPO, it is challenging to stay up to date on all those modifications. Therefore, an innovative approach is a close collaboration between lawyers and DPOs.
Lawyers are trained to understand the nuances of the law and skilled in reviewing contracts and can provide advice on how data protection and privacy considerations should be incorporated into contracts with vendors, service providers, and other partners. They can also assist in reviewing and negotiating data processing agreements, ensuring that the organization’s data is adequately protected. Finally, they perform permanent legal watch to ensure the most up-to-date knowledge regarding all regulations. Legal watch involves monitoring changes in laws and regulations that may impact an organization’s operations and ensuring that the organization remains in compliance.
The lawyer and DPO can work together to ensure that the organization’s data processing activities are compliant with applicable data protection laws and regulations, while also considering the specific requirements of the life science sector. By collaborating and leveraging their respective areas of expertise, they can develop policies and procedures that are both legally compliant and scientifically appropriate.
They can work together to identify potential risks associated with the organization’s data processing activities and develop strategies to mitigate those risks. For example, the DPO can conduct risk assessments to identify potential data protection issues, while the lawyer can advise on legal risks and liabilities associated with data processing activities.
In the event of a data breach or other data protection incident, they can work together to analyze the breach and respond effectively and efficiently. The DPO can lead the investigation into the incident, assess the risks to affected individuals, and coordinate the technical response, while the lawyer can advise on the legal obligations and potential liabilities of the organization and assist with any required notifications.
Both can work together to ensure that the organization is compliant with applicable data protection laws and regulations. The DPO can ensure that the organization’s data processing activities are conformed to data protection laws and regulations expectations, while the lawyer can provide legal advice and guidance on regulatory compliance and liaise with regulatory bodies, such as data protection authorities.
The lawyer and DPO can work together to negotiate contracts with vendors, service providers, and other partners to ensure that data protection and privacy considerations are incorporated into the contracts. The DPO can provide technical expertise to assess the data protection and privacy risks associated with the contract, while the lawyer can advise on legal risks and liabilities and ensure that the contract is legally compliant.
MyData-TRUST: Your DPO specialised in Data Protection and exclusively dedicated to the Life Science sector
Conclusively, a DPO with background in life sciences brings a unique set of skills and knowledge of a clinical trial process from the bench to the market. Nevertheless, the strongest support for successful compliance with data protection regulations and assurance of subject’s privacy is the combination of two forces: DPOs with background in life sciences together with lawyers, who provide deeper and up to date legal aspects.