What is GDPR?

GDPR, or General Data Protection Regulation, is a set of regulations adopted by the European Union to govern the collection, processing, use and storage of personal data. The policy covers individuals living in the European Union (citizens, residents and visitors), as well as EU citizens living outside of Europe. It applies to data that is processed, managed, owned or connected with goods or services offered in the EU and compliant states. The policy was adopted on May 24, 2016 with an enforcement date of May 25, 2018 for organizations to comply with the requirements.

Who must comply with GDPR regulations?

Any company or organization providing services and collecting personal data from individuals in the European Union (citizens, residents and visitors) as well as EU citizens living abroad must comply with GDPR.

Several basic aspects of GDPR:

  • GDPR is all about a “Data Subject” (you, for example) giving informed and explicit consent. Consent must be a definite choice on your part, and not a “helpful” pre-checked consent box.
  • It should be clear to you what you are giving someone permission to do, and why they need to do it (express purpose).
  • The Rights of the Data Subject include right of access, right of rectification, right of erasure, right to restrict processing, right to communication of actions to ensure compliance, and right of data portability (Articles 15-20).
  • GDPR mandates dynamic responsibility for good data disciplines and practices by design and default, to provide appropriate security measures for data. Handling of data breaches is also detailed.

For a complete list of GDPR requirements, please consult the official documentation here.

Here are some additional resources and articles on GDPR specific to the pharmaceutical/biotech/clinical trials industry: