7 Steps Towards Implementing Data Privacy in Clinical Product Development
On May 25, 2018 EU General Data Protection Regulation (GDPR) came into effect. U.S. clinical product development companies, including Data Controllers (collect personal data from EU resident) and Data Processors (process personal data of EU residents on behalf of data controllers) in the United States, may be subject to the GDPR if they offer products or services to EU residents or if they monitor the behavior of such residents even if they do not have a physical presence in the EU.
Think you’re not impacted, think again, the California Consumer Privacy Act (CCPA) of 2018 was passed on 28 June 2018. The rights given to California consumers in 2020 are much like the rights provided in the European Union’s General Data Protection Regulation (GDPR).
Both GDPR and CCPA subjects non-compliant businesses to expensive fines, class-action lawsuits, and injunctions. We can expect with California taking the lead that more states will follow.
Even if your product is still under development and you are using or collecting clinical data to inform your design, despite patient consent, you are still subject to these laws.
Here are steps toward compliance:
Step 1 – Develop a privacy protection implementation plan
Define the scope, approach, requirements, definition of protected information, use environments, training, deliverables and timeline. Focus on high-level protections first.
Step 2 – Conduct data landscaping
Map the entire workflow of protected information flow (both physical and electronic) when protected information is at rest, during storage and while protected information is in motion. Consider all touch points such as accessioning, collection, use, sharing, storage, monitoring, and deletion of such protected information.
Step 3 – Conduct a risk assessment
Using the protected information workflow, identify current controls in place and identify all potential security and privacy risks/threats to the protected information. Consider external, internal, third parties and environmental factors. For each risk/threat identify control measures to protect the information.
Step 4 – Evaluate existing and establish formal compliance procedures
Formally document all control measures in procedures such as:
- physical security
- information systems security
- handling of regulated protected information
- consent requests
- protected information retention
- breach management
Step 5 – Implementation
Implement via policy and/or using information technology (password protection, encryption, anti-virus) to implement control measures defined in your formal compliance procedures.
Step 6 – Verification
Conduct an initial and periodic verification and audit of risk control measures such as physical security, firewall, OS/application patching, anti-virus updates etc.
Step 7 – Implementation Report
Keep an updated report handy which can be presented as an evidence of information protection compliance for regulatory bodies, development partners and consumers.
Seems daunting, don’t have time, let’s us help you with our compliance package, includes a free training module, 25% off:
regulatory@beanstockventures.com
BeanStock Ventures has over 20 years’ experience developing compliant, safe and meaningful products in the healthcare industry, learn more about our regulatory services.
7 Steps Towards Implementing Data Privacy
