This site uses cookies which will be set when you visit another page, unless you then choose to opt out. Find out more about our cookies.

BHBIA

FAQ - GDPR

These questions are based on queries that members have sent to our ethics advisor and a summary of the responses.

Please note that this resource is simply a selection of actual queries. It does not provide comprehensive coverage of everything you need to know about GDPR. Please also consult the BHBIA's GDPR Updates page, for the latest guides, which include links to other online information.

The FAQs are grouped under a series of headings.

If you cannot find the answer to your question in resources provided, you can submit a new query to our Ethics Advisor. Please use the online Guidelines Query Form. (This service is only available to full BHBIA members only and you will need to log in).

Responses given are not legal advice and if a legal opinion is required this should be sought separately. The information given in the response is for information purposes only. Whilst every reasonable effort is made to ensure the information is accurate, no responsibility for its accuracy or for any consequences of relying on it is assumed by the authors.

Definitions and roles

Q. What data are considered to be personal and sensitive?

A.

The GDPR definition of ‘personal data’ is:

  • The GDPR defines personal data as ‘any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; (Article 4)
  • Genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question. (Article 4)
  • ‘Biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data. (Article 4)
  • ‘Data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status. (Article 4)
  • Special categories of personal data (previously sensitive personal data) - data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. (Article 9)
  • The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes. (Recital 26)

Special category (previously referred to as sensitive) personal data includes racial or ethnic origin, political opinion, religious beliefs, membership of a trade union, physical or mental health or condition, sexual life.  Personal health data includes all data pertaining to health status which reveals information relating to past, current or future physical or mental health status e.g. disease, disability, disease risk, medical history, clinical treatment.  It also includes genetic and biometric data.

Data which when combined could be personal data should be considered and treated as personal data.

Key points to note:

  • Personal data may be made up of more than one piece of information e.g. a job title and a place of work together could identify an individual.
  • Pseudonymised data will still qualify as personal data if you have the ability to reverse the pseudonymisation (i.e. you/your organisation has the information that would re-identify individuals)

Q. What are the roles of Data Controllers and Data Processors?

A.

Data Controllers determine the purpose and means of data processing, so for example, if you influence the design of the work or you maintain a list of potential respondents you are a data controller.

Data controllers are:

  • Responsible for and able to demonstrate compliance with GDPR
  • Point of contact for data subjects
  • Determine if and conducts Privacy Impact Assessment required
  • Can audit processor

Data Processors process the data on behalf of the data controller, so if you only act on the instruction of others (such as a market research or fieldwork agency), you are a data processor.

Data processors must:

  • Seek approval to appoint sub-processor
  • Include GDPR obligations in sub-processor’s contract
  • Seek approval to transfer personal data out of EU

Both Controllers and Processors must:

  • Implement technical and organisational measures
  • Make sure contracts contain the right detail
  • Appoint Data Protection Officer if this is required
  • Keep detailed records
  • Build in privacy by  design and default
  • Have a legitimate basis for data processing
  • Maintain and store data and records

If a company commissions market research from an independent agency and this agency then conducts all the work on their behalf (under contract) and supplies the company with only aggregated anonymised data (i.e. the company does not have access at any stage to any of the personal data collected by the MR agency), the client company is a data controller as is the agency.

Although the data which the commissioning company will see is anonymised and aggregated, the collection, storage and other processing of personal data is happening for the commissioning company’s overall purpose – without this purpose the processing would not be undertaken at all.  The MR agency is applying technical expertise to the selection, processing and interpretation of personal data meaning they would also be data controllers (e.g. making a number of decisions about who, what, where, when and how personal data is processed as part of the project including the application of MR methodologies and design of any questions/interviews).

Q. Who is the ICO?

A.

The ICO is the Information Commissioner’s Office.  The ICO is the UK data protection supervisory authority or regulator.  The ICO is an independent body set up to uphold information rights in the UK.  It is a non-departmental public body which reports directly to Parliament and is sponsored by the Department for Digital, Culture, Media and Sport.

Q. Is the MR agency a data processor if the client dictates the purpose of collection/processing of personal data via a brief and the means of personal data collection/processing?

A.

A data controller determines the purpose and means of processing and a data processor processes the data on behalf of the data controller. 
If an agency is applying technical expertise to the selection, processing and interpretation of personal data they would be data controllers (e.g. making a number of decisions about who, what, where, when and how personal data is processed as part of the project including the application of MR methodologies and design of any questions/interviews).

So, generally, both the commissioning client company and the MR agency are data controllers, but in some circumstances an MR agency might be a data processor.

Q. Is a fieldwork agency a controller if it conducts the interviewing?

A.

This would depend upon what if any other role the fieldwork agency has played in the project.  If the fieldwork agency carried out the interviewing alone and did not influence recruitment or guide/questionnaire design then they are likely to be a processor however if they have influenced the way in which the work is done then they are more likely to be a controller.  Only if an agency is applying technical expertise to the selection, processing and interpretation of personal data they would be data controllers (e.g. making a number of decisions about who, what, where, when and how personal data is processed as part of the project including the application of MR methodologies and design of any questions/interviews).

Q. Who would be responsible for a regulation breach if there are two controllers?

A.

Contracts should detail the respective responsibilities of joint controllers, the controller liable for a regulation breach will be the controller responsible for that part of the activity that led to the breach.

Q. Does the size of an organisation determine the need to appoint a Data Protection Officer (DPO)?

A.

No. There was talk of this being the case at one time before the finalisation of the Regulation but this did not make it into the final draft of the GDPR.  Data controllers and data processors must appoint a Data Protection Officer (DPO) if - as a core activity - you carry out large scale systematic monitoring of individuals or large scale processing of special categories of data.

Risk and Privacy Impact Assessment

Q. Is a Data Protection Impact Assessment (DPIA) required for data processing authorized before May 2018?

A.

Current data protection guidance advocates a risk-based approach including risk assessment but conducting a PIA is not a legal requirement of the Data Protection Act.  The GDPR formalises the need for DPIAs and makes it a requirement in some cases.  See further information below.

If after 25 May 2018 you continue to rely on risk assessments and DPIAs carried out before this date, you must make sure that these are GDPR compliant.  If they are not, you must update your risk assessments and DPIAs.  We advise you to update your risk assessment processes and tools that you will rely on after 25 May 2018 as soon as practical if they aren’t GDPR compliant.

Taken from the BHBIA’s ‘Risk and Privacy Impact Assessment’ guidelines, within the Preparing for the General Data Protection Regulation series, available on the BHBIA website.

DPIAs MUST be carried out when:

  • Large scale processing of personal data at regional, national or supranational level; that affects a large number of individuals; and involves a high risk to their rights and freedoms
  • Large scale processing of special categories of data (previously referred to as sensitive data)
  • Using new technologies and the processing is likely to result in a high risk to rights and freedoms
  • Automated processing, including profiling, that results in automated decisions having legal effects or similar significant impacts on the data subjects
  • The GDPR defines profiling as any form of automated processing intended to evaluate certain personal aspects of an individual (e.g. personalised targeted direct mailings), profiling is not the same as market research segmentation.
  • Systematic monitoring of a publicly accessible area on a large scale.

Q. What triggers the need for a DPIA?

A.

DPIAs SHOULD be carried out when:

  • The data processing might result in a high risk to the rights and freedoms of the individuals
  • If you are not sure whether your data processing is high or low risk, you need to carry out a DPIA – if in doubt, carry one out!

DPIAs MUST be carried out when:

  • Large scale processing of personal data at regional, national or supranational level; that affects a large number of individuals; and involves a high risk to their rights and freedoms
  • Large scale processing of special categories of data (previously referred to as sensitive data)
  • Using new technologies and the processing is likely to result in a high risk to rights and freedoms
  • Automated processing, including profiling, that results in automated decisions having legal effects or similar significant impacts on the data subjects
  • The GDPR defines profiling as any form of automated processing intended to evaluate certain personal aspects of an individual (e.g. personalised targeted direct mailings), profiling is not the same as market research segmentation.
  • Systematic monitoring of a publicly accessible area on a large scale.

Notification and contracts

Q. Do you need to register yourself as a data controller and/or processor with the ICO if you are a freelancer?

A.

The current notification requirements are as follows:

Most organisations that process personal data must notify the ICO of certain details about that processing. However, the Act provides exemptions from notification for:

  • organisations that process personal data only for:
  • staff administration (including payroll);
  • advertising, marketing and public relations (in connection with their own business activity); and
  • accounts and records;
  • some not-for-profit organisations;
  • organisations that process personal data only for maintaining a public register;
  • organisations that do not process personal information on computer.

Exemptions are also available in relation to:

  • national security and the armed forces;
  • personal data that is processed only for research, statistical or historical purposes;

https://ico.org.uk/for-organisations/guide-to-data-protection/exemptions/

Under GDPR, this is what we know at present about new notification requirements:

When the new data protection legislation/GDPR comes into effect next year there will no longer be a requirement to notify the ICO in the same way.  However, a provision in the Digital Economy Act means it will remain a legal requirement for data controllers to pay the ICO a data protection fee.

The current draft proposal is a three tier system, which will differentiate between small and big organisations and also how much personal data an organisation is processing.  The aim is to keep the system as simple as possible, so that organisations will easily be able to categorise themselves.

https://iconewsblog.org.uk/2017/10/05/ico-fee-and-registration-changes-next-year/

The ICO expects to know more by the end of 2018 and will communicate further when they do.

Q. What terms/changes might we need to make to our contracts?

A.

Expect contracts under GDPR to include:

  • Details of specific processing - subject matter, duration, nature, purpose, type of data & type of data subjects
  • Risk & DPIAs requirements
  • Information necessary to demonstrate compliance
  • Safeguards - technical & organizational incl. confidentiality
  • Retention, return, deletion requirements
  • Data breach notification
  • Inspection & auditing requirements
  • Liabilities, assurances & indemnities for legal action
  • Respective responsibilities of joint controllers

Data processors need the data controller’s written consent to appoint sub-processors e.g. freelancers – they must adhere to GDPR too, and processor’s must have contracts with named sub-processors too.

GDPR is not clear about whether the obligation to include processor clauses in contracts falls on the controller, the processor or both.  The GDPR simply says these clauses must be included - so it is possible that both the controller and the processor must ensure they are included.

Q. Could GDPR requirements be detailed in a study protocol rather than the legal contract with the client if the contract refers to the protocol?

A.

This would have to be established by lawyers/legal advice.

Legal bases and respondent rights

Q. How valid is 'informed' consent when the terms of consent are extensive?

A.

Consent has to be clear, specific and granular but as the same time it also has to be concise, these requirements may conflict at times as we struggle to make sure all the information that is required to support informed consent is difficult to deliver clearly and concisely.  The ICO have suggested that:

“You must clearly explain to people what they are consenting to in a way they can easily understand. The request for consent needs to be prominent, concise, separate from other terms and conditions, and in plain language. 
If the request for consent is vague, sweeping or difficult to understand, then it will be invalid. In particular, language likely to confuse – for example, the use of double negatives or inconsistent language – will invalidate consent.”

Q. Is consent needed to store data that is publicly available?

A.

No, assuming that no other (non-publicly available) data are added to it.

Q. What is the difference between asking not to be contacted and asking for your personal data to be erased?

A.

Under GDPR individuals have a new right to erasure, also known as the right to be forgotten.  This gives the individual the right to request the deletion or removal of personal data where there is no compelling reason for its continued processing.

Individuals also have a right to restrict processing of personal data.  When processing is restricted, you are permitted to store the personal data, but not further process it.  You can retain just enough information about the individual to ensure that the restriction is respected in future. 

If an individual asks not to be contacted for the purpose of market research they are exercising their right to restrict processing (not their right to erasure).  It is important not to confuse the two different rights.  Quite clearly if you are going to observe a request not to be contacted for the purposes of market research you will need to store some personal data to do this.

If an individual specifically asks that their personal data is deleted and that they are not contacted again, the conflict between the two requests should be pointed out and their consent to hold their personal data for the purpose of making sure they are not contacted for market research should be requested.

Lists of individuals that should not be contacted may be passed on to sub-contractors, the legal basis for this processing might be consent or legitimate interests.

Application to specific scenarios

Q. What are the implications of GDPR for adverse event reporting?

A.

The GDPR will impact the processing of personal data for adverse event reporting in the same way that it impacts data processing for market research – the same requirements will apply.

Q. Does GDPR apply to projects involving social media listening?

A.

Yes, the GDPR will apply to all forms of data processing, all medium and all sources of data.

Q. Will client companies be able to observe non-anonymised fieldwork in person without their organisation being named on the consent form?

A.

This is under discussion with the ICO at present, the GDPR requires that when personal data are processed, those organisations that will have access to it are named in order to secure the data subject’s informed consent (to allow the access).  Current ICO advice (on the interpretation of the UK Data Protection Act) allows us to withhold the names of the recipient company if there is a genuine threat of bias or disguised promotion.  The demands of the GDPR are more stringent and this advice may not stand.

Q. For observation of interviews - respondent consent - what exactly does 'include recipients' mean? How much detail is needed?

A.

The GDPR requires that when personal data are processed, those organisations that will have access to it are named in order to secure informed consent (to allow the access).  The name of the organisation should be provided as well as the roles of the individuals/teams that will have access e.g. market researchers, marketing, drug safety personnel.  Individuals do not have to be named.

Q. When transcribing or translating video recorded interviews, do we need to check with the commissioning MR agency that the participant has given consent for a third party processor to access their data?

A.

Yes, valid consent must be specific, it must include the data controller’s identity and any third parties who will be relying on consent.

Data breaches

Q. Can you give some examples of how companies might fail in terms of their accountabilities?

A.

The accountability principle requires that you show how you comply with GDPR requirements, so failure to define responsibilities in contracts, to record data processing activities such as consent processes and agreements, to have a breach handling process in place would all be examples of accountability failings.

Data retention and destruction

Q. Data retention period should be 'appropriate', how long is appropriate?

A.

The GDPR does not provide any guidance on how long is appropriate nor are data protection regulators likely to issue any.  Personal data should not be held for longer than is necessary, the period of time should be agreed between the data controller and data processor.   This is not a new requirement and should apply to all stored personal data (i.e. that stored pre and post GDPR).

Q. How do we reconcile the need to hold personal data for a minimal time with the need to hold source data for PV purposes for 7 to 10 years?

A.

The need to hold personal data must be justified, it must be necessary. If the reason is for PV purposes this should be explained, justified, agreed and recorded.

Q. With regards to deleting data, what if the data is in the 'cloud'?

A.

When personal data must be destroyed, all copies, in all forms, in all storage facilities (including the cloud) must be destroyed.

Global projects and transferring data overseas

Q. For global projects is it the global team's responsibility to ensure GDPR compliance or the EU individual affiliates?

A.

It is the organisation that is either a data controller or a data processor (not an individual office or team).  The commissioning client company is always a data controller and therefore responsible for demonstrating compliance with GDPR.  It is up to the organisation to decide which office/team is accountable for compliance.

Q. Does the GDPR affect organisations outside the EU?

A.

The GDPR applies to processing of personal data by an organisation:

Established within the EU, or

Not established within the EU where the processing relates to:

  • Offering goods or services, irrespective of whether a payment is required, to individuals within the EU, or
  • Monitoring the behaviour of individuals to the extent that behaviour takes place within the EU

Q. Who needs to approve transfer of data outside of EEA and how?

A.

Data subjects must be informed and agree to their personal data being transferred overseas.   The data controller would need to approve any transfers of data overseas by the data processor or sub-processors (this is likely to be agreed in the contract).  If data is transferred outside of the EEA suitable measures must be in place to guarantee data security e.g. EU model clauses.  You may only transfer data (to a third party or overseas) once it has been adequately protected.

The BHBIA’s Legal & Ethical Guidelines currently state that:

You must not transfer personal data outside the EEA unless there are adequate data protection measures in place. However the EU Commission provides a list of countries or territories providing adequate protection for data subjects in connection with the processing of their personal data, see the European Commission’s data protection website at: https://ico.org.uk/for-organisations/guide-to-data-protection/principle-8-international/

If you have to transfer personal data to counties outside the EEA or that are not listed as having adequate protection you may consider other means of guaranteeing the personal data you transfer is adequately protected by:

  • Using other legal grounds, such as unambiguous and explicit consent from individuals for the transfer of their personal data for processing in the US
  • Reviewing and if necessary revising contracts and consider using Model Contract Clauses (as approved by the European Commission)
  • Possibly in the longer term implementing binding corporate rules (BCR’s) for transfers within a corporate Group, although BCR’s are time consuming and can be costly.

Secondary data and profiling

Q. What are the implications of the GDPR for the processing of secondary data that includes personal data?

A.

Broadly speaking GDPR requirements are the same for the processing of secondary data for data analytics as for primary data for market research.  The BHBIA recommends that those involved in data analytics processing secondary data:

  • Audit systems and work out where you are processing personal data
  • Risk assess your processes and if necessary complete privacy impact assessments
  • Review contracts with third party controllers / processors and ensure there is adequate clarity regarding roles and expectations

For further detail and specific secondary data examples please see the ‘Implications of GDPR For Data Analytics’ presentation prepared and delivered by Matt Beckett on the 7 September at the BHBIA GDPR Seminar Building the GDPR into every stage of your project and available to members on the BHBIA website - click here

Q. It is possible to ‘profile’ a HCP for targeting (e.g. on the basis of their prescribing behaviour) and use legitimate interests?

A.

Legitimate interests can be used as the legal basis for the use or secondary use of personal data such as targeting.  Whether this is appropriate or not will depend upon:

  • Whether the processing is necessary and proportionate (this in turn must take into account whether any other legal basis is available)
  • Balancing the subject’s rights, freedoms and interests with the controller’s interests
  • Whether the purpose of the data processing (in our case MR) could be reasonably expected by the data subject
  • Having a privacy notice stating the purpose/legitimate interest, which in our case is MR.

Preparing for GDPR

Q. Does meeting ISO27001 cover GDPR requirements?

A.

At present we do not have an answer to this question (the BHBIA’s Legal & Ethical Guidelines are not linked to ISO27001) but we will try to answer it, although the answer may depend upon further interpretation of GDPR requirements, Data Protection Authorities are still in the process of issuing guidance on the interpretation of the GDPR.

Q. What are the implications for historic data held on file and to data in use e.g. lists?

A.

Personal data held on file or in use after 25 May 2018 must meet GDPR requirements.

Q. What should personal members/freelancers (and small companies) be doing to prepare for GDPR?

A.

Broadly speaking the GDPR will affect individuals processing personal data in largely the same way that it impacts organisations.  There may be some differences in terms of record keeping (see the notes below) and risk assessment requirements (if large scale processing of personal data is not undertaken) but on the whole the requirements do not vary with the size of the organisation.

The BHBIA advises personal members to:

  • Understand your role and audit the data processing you do
  • Put the necessary processes in place
  • Document what you do however if your organisation has less than 250 employees you are required to maintain records of activities related to higher risk processing although contractual requirements may require all suppliers in the chain to keep detailed records – do check!

The first step is to understand or review your current position in order to know what it is you need to change in order to be GDPR ready.

Review or audit what data processing you do:

  • Your role
  • Source and types of data
  • Type and purpose of processing
  • High risk data processing
  • Your legal basis for processing
  • Record keeping
  • Sharing personal data and transferring it overseas
  • Access, storage and security.

Once you’ve done this you’re in a position to assess the risk associated with your data processing which will mean carrying put Privacy Impact Assessments for higher risk activities, and then you’re in a position to think about what you will have to do to mitigate these risks.

You may have identified some gaps in your policies and procedures that need to be filled e.g. your security systems and record keeping may not be up to GDPR standards.

You should now be in a position to develop a GDPR action plan detailing the changes you need to make to be GDPR ready.  You may need to prioritise what you do according to risk.

The changes you may have to put into place could include:

  • Amending contracts / MSA templates
  • Updating policies and processes e.g. data retention, data breach
  • Updating consent statements and privacy notices
  • Building privacy by design and default into all new projects.

The ICO has made available a series resources to help small organisations get to grips with the GDPR; these include:

In addition, the ICO has a series of data protection guidance resources available for small businesses (these relate to the Data Protection Act rather than the GDPR but still provide very useful information):

Information from the BHBIA

Q. In the light of GDPR, will the BHBIA be redrafting the relevant consent forms etc. supplied in the appendices of the BHBIA Guidelines?

A.

Yes, the BHBIA will be updating the Legal and Ethical Guidelines to take GDPR requirements into account in spring 2018, this will include the pro formas in the appendices.

Q. Will the BHBIA be providing a GDPR checklist for its members before GDPR becomes effective to ensure we are all compliant?

A.

The BHBIA is providing a series of guides/updates on GDPR – some of which are already available on the website - click here.

The final format e.g. checklist is dependent on the nature of the information to be communicated.

Q. Where are EphMRA on this topic?

A.

EphMRA are providing their members with GDPR support and information, details of their initiatives are available on the EphMRA website - www.ephmra.org/

Keeping you informed about changes in the UK legal and ethical environment

Keeping you informed about changes in the UK legal and ethical environment

Cookies required

To use this functionality please enable cookies. Find out more about our cookie policy.

  Cookies are currently off.