This site uses cookies which will be set when you visit another page, unless you then choose to opt out. Find out more about our cookies.

BHBIA

FAQ - GDPR

This resource is based on based on queries that members have sent to our ethics advisor or raised at meetings, grouped under a series of headings.

Please note: this does not provide comprehensive coverage of everything you need to know about GDPR. Please also consult the BHBIA's GDPR Updates page, for the latest guides, which include links to other online information.

If you cannot find the answer to your question in the resources provided, you can submit a new query to our Ethics Advisor. Please use the online Guidelines Query Form. (This service is only available to full BHBIA members only and you will need to log in).

Responses given are not legal advice and if a legal opinion is required this should be sought separately. The information given in the response is for information purposes only. Whilst every reasonable effort is made to ensure the information is accurate, no responsibility for its accuracy or for any consequences of relying on it is assumed by the authors.

Naming the end client

Q. We (the pharma end client), don’t tend to receive any personal data such as the name of the respondent – does the advice about naming the client still count in these circumstances?

A.

Unfortunately, yes it does. According to the ICO’s advice and the view of the European Data Protection Board (EDPB) you can still be a data controller (responsible for determining both the purpose and means of the data processing) without ever receiving/processing any personal data.

For more details see the BHBIA’s Consents for Market Research – what is required and when guide and our most recent news item: An update on naming end clients as data controllers - you can find links to both these here: https://www.bhbia.org.uk/guidelines/gdprupdates.aspx

Q. As an end client I am concerned about commercial sensitivity if we have to be named – and also confusion for the respondent about why we are being named if the research is not promotional. Is there any way around this or do we need to stop doing research in the UK?

A.

If you decide that you are a data controller then you do need to be named (though this could be at the end of the interview).

We have further feedback on the ‘data controller issue’ following a recent meeting of the European Data Protection Board’s (EDPB) key provisions sub-group, which was attended by all the major Member State Data Protection Authorities (DPAs) including the ICO.  The EDPB is the EU body in charge of the application of the GDPR.

We have been informed that the consensus amongst the EDPB group was that, where organisations are jointly determining the purposes and means of processing, they will be considered joint data controllers (in accordance with GDPR Article 26), regardless of whether one controller is only determining the purposes and the other only determining the means. The group was also in agreement that, in a joint controller scenario, where personal data are collected from the data subject, both controllers must be named when the data is obtained (in accordance with the requirements of GDPR Article 13(1)(a)).  This thinking is in line with the ICO’s recent advice and makes it clear this is not a UK only issue. 

Please see our most recent news item: An update on naming end clients as data controllers for more details on this.

Q. How do we resolve concerns about disguised promotion – especially when researching pipeline drugs – if we are required to name the client? Should we explain to the respondent that we are doing it because it’s a GDPR requirement, and it is not intended to be promotional in any way?

A.

Yes, this is exactly what we should be doing.

Please also note that the ABPI Code says:
9.10 Material relating to medicines and their uses, whether promotional or not, and information relating to human health or diseases which is sponsored by a pharmaceutical company must clearly indicate that it has been sponsored by that company. The only exception to this is market research material which need not reveal the name of the company involved but must state that it is sponsored by a pharmaceutical company.
(ref: http://www.pmcpa.org.uk/thecode/Documents/Code%20of%20Practice%202016%20.pdf)

Obviously the GDPR requirement to name the client as data controller overrides the ABPI guidance that naming the client is optional, but the important point to note is that naming the client is not in conflict with the ABPI Code, and does not, in itself, imply any disguised promotion.

Q. Can we justify including in our contracts that for studies involving repeat waves, or follow up interviews (e.g. recruit respondents for a follow-up qual study following on from an online quant study) the naming of the client will be at the end of the whole study?

A.

Unfortunately not – if the client is a data controller they have to be named at the end of the first interview, as the GDPR states that the data controller must be named when the personal data is obtained.

Please see our most recent news item: An update on naming end clients as data controllers for the latest on this.

Q. If you have determined that the client is a third party, and they are not receiving any personal data, do you still have to name the client if the respondent asks?

A.

No, as long as it’s clear that the client is not a data controller, then they would not need to be named in this case unless there is a contrary legal obligation e.g. they provided the contact list.

It would be important to document the rationale for determining that the client is not a data controller – i.e. the justification for deciding that they are not determining both the purpose and means of the data processing.

Please see our most recent news item: An update on naming end clients as data controllers for the latest on this.

Q. If our MR client tells us (the fieldwork agency) that they believe their end client is not a data controller, can we go ahead without naming them? Where would the liability lie?

A.

There would need to be documentation of the justification for not defining the client as a data controller. It would be advisable if the agency’s view on respective roles was documented too. The ICO have pointed out that they consider this low risk decision making and not a priority enforcement area.

Please see our most recent news item: An update on naming end clients as data controllers for the latest on this.

Q. If an end client has provided a list for samples, does their name have to be revealed to the respondent even if the list is only used for the purposes of matching to a panel?

A.

If the end client is a data controller then they would have to be named. If the client considers that they are not a data controller, then they would not have to be named.

Please see our most recent news item: An update on naming end clients as data controllers for the latest on this.

Q. Do we have to name the commissioning client company if we receive or transfer personal data to them?

A.

To secure informed consent the recipients or categories of recipients of personal data must be named, so, for example, the commissioning client must be named if they receive non-anonymised recordings of respondents participating in MR.  The names of individuals viewing it do not have to be shared but the types of people do. 

In addition, when the data is not obtained directly from the individual, the data subject must also be informed of the source of the personal data, so, for example, if a list of potential respondents is provided by the commissioning client company they must be named.

In addition, in the end client is a data controller they must be named (regardless of whether or not they receive any personal data). For more on this consult our GDPR updates resource: in particular the Consents for Market Research - what is required and when guide (May) and An update on naming end clients as data controllers (June)

Definitions and roles

Q. The MRS advise that audio data is always personal data however the BHBIA guidance states voice alone is not necessarily personal data, why the difference?

A.

The BHBIA’s guidance within the Legal & Ethical Guidelines July 2018 on whether voice alone should be considered personal data or not is as follows:

Personal data includes sound and image data e.g. non-anonymised audio and video recordings from which an individual could be identified.  Image data will always be personal data, a voice alone, may or may not be. If an individual belongs to small universe e.g. they are a KOL and have a distinctive accent, then voice alone is likely to be an identifier; however a GP’s voice with a non-descript accent listened to out of area isn’t likely to be identifiable data in isolation.

The MRS has stated within their Data Protection & Research: Guidance for MRS Members and Company Partners 2018, that:

Researchers should always categorise photographs, audio recordings, video recordings and still images as personal data. The ease of technology in linking these to an identifiable person means that there is a higher risk of re-identification for this type of media.

Under the GDPR, personal data is described as follows:
‘…any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;’

The BHBIA has consulted with the Information Commissioner’s Office (ICO) on this. The ICO considers the GDPR definition to mean that if you have information that could allow you to identify an individual, either directly or indirectly or are reasonably likely to have the means to identify, either directly or indirectly, an individual, then data will be personal data.  It does depend on the context, i.e. the data will not be personal data if you are not, or are unlikely to gain, other information that can be used to identify an individual. Organisations will have to look at the specifics of their situation and reach a decision on this.   The fact that voice recognition technology exists does not necessarily mean that it should be assumed it could be used within a research context; this is likely to be viewed as unreasonable and disproportionate.

So the ICO has confirmed that whether voice alone is personal data or not, is context specific i.e. it is not necessarily always personal data, it depends on the context (as illustrated in the example provided in the BHBIA guidance above).  This has not changed with the introduction of GDPR/DPA 2018.

It may be that clients or agencies will choose to take an overall view that they will err on the side of caution and treat all voice recordings as personal data rather than assess on a project-by-project basis.  But the BHBIA did not want to take a more rigid position than is necessary and can be justified by the law, whereas the MRS has taken a more conservative approach.

If organisations are members of both the MRS and the BHBIA, then the MRS’s more demanding guidance should be followed.

Q. Which data privacy notice should be shown to respondents in cases where more than one organisation is involved?

A.

It depends on the precise circumstances, but you may need to show more than one privacy notice – for example the fieldwork agency’s notice when you are recruiting, and the MR agency’s notice within the questionnaire, if it’s the MR agency who will actually be collecting the data on their servers.

Q. If more than one agency is involved in research, whose responsibility is it to keep the consent records?

A.

It probably should be the fieldwork agency as they are the respondent-facing organisation (but with the understanding that the MR agency may want to audit their records). This is in line with GDPR data minimisation principles as it avoids unnecessary duplication/transfer of data.

Q. Is personal data on a website that is accessible (although not necessarily immediately obvious) but was posted for another purpose (e.g. attendee list) subject to GDPR?

A.

The use of personal data for a secondary purpose is only allowable if there is a lawful basis for the processing e.g. consent has been given or a legitimate interest assessment has been carried out and this is considered an appropriate lawful basis.  The secondary use of personal data for ‘research’ is considered a compatible purpose but the questions remains whether commercial market research or data analytics are ‘research’ (as defined by GDPR).

Q. What data are considered to be personal and sensitive?

A.

The GDPR definition of ‘personal data’ is:

  • The GDPR defines personal data as ‘any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; (Article 4)
  • Genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question. (Article 4)
  • ‘Biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data. (Article 4)
  • ‘Data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status. (Article 4)
  • Special categories of personal data (previously sensitive personal data) - data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. (Article 9)
  • The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes. (Recital 26)

Special category (previously referred to as sensitive) personal data includes racial or ethnic origin, political opinion, religious beliefs, membership of a trade union, physical or mental health or condition, sexual life.  Personal health data includes all data pertaining to health status which reveals information relating to past, current or future physical or mental health status e.g. disease, disability, disease risk, medical history, clinical treatment.  It also includes genetic and biometric data.

Data which when combined could be personal data should be considered and treated as personal data.

Key points to note:

  • Personal data may be made up of more than one piece of information e.g. a job title and a place of work together could identify an individual.
  • Pseudonymised data will still qualify as personal data if you have the ability to reverse the pseudonymisation (i.e. you/your organisation has the information that would re-identify individuals)

Q. What are the roles of Data Controllers and Data Processors?

A.

Data Controllers determine the purpose and means of data processing, so for example, if you influence the design of the work or you maintain a list of potential respondents you are a data controller.

Data controllers are:

  • Responsible for and able to demonstrate compliance with GDPR
  • Point of contact for data subjects
  • Determine if and conducts Privacy Impact Assessment required
  • Can audit processor

Data Processors process the data on behalf of the data controller, so if you only act on the instruction of others (such as a market research or fieldwork agency), you are a data processor.

Data processors must:

  • Seek approval to appoint sub-processor
  • Include GDPR obligations in sub-processor’s contract
  • Seek approval to transfer personal data out of EU

Both Controllers and Processors must:

  • Implement technical and organisational measures
  • Make sure contracts contain the right detail
  • Appoint Data Protection Officer if this is required
  • Keep detailed records
  • Build in privacy by  design and default
  • Have a legitimate basis for data processing
  • Maintain and store data and records

If a company commissions market research from an independent agency and this agency then conducts all the work on their behalf (under contract) and supplies the company with only aggregated anonymised data (i.e. the company does not have access at any stage to any of the personal data collected by the MR agency), the client company is a data controller as is the agency.

Although the data which the commissioning company will see is anonymised and aggregated, the collection, storage and other processing of personal data is happening for the commissioning company’s overall purpose – without this purpose the processing would not be undertaken at all.  The MR agency is applying technical expertise to the selection, processing and interpretation of personal data meaning they would also be data controllers (e.g. making a number of decisions about who, what, where, when and how personal data is processed as part of the project including the application of MR methodologies and design of any questions/interviews).

Q. Who is the ICO?

A.

The ICO is the Information Commissioner’s Office.  The ICO is the UK data protection supervisory authority or regulator.  The ICO is an independent body set up to uphold information rights in the UK.  It is a non-departmental public body which reports directly to Parliament and is sponsored by the Department for Digital, Culture, Media and Sport.

Q. Is the MR agency a data processor if the client dictates the purpose of collection/processing of personal data via a brief and the means of personal data collection/processing?

A.

A data controller determines the purpose and means of processing and a data processor processes the data on behalf of the data controller. 
If an agency is applying technical expertise to the selection, processing and interpretation of personal data they would be data controllers (e.g. making a number of decisions about who, what, where, when and how personal data is processed as part of the project including the application of MR methodologies and design of any questions/interviews).

So, generally, both the commissioning client company and the MR agency are data controllers, but in some circumstances an MR agency might be a data processor.

Q. Is a fieldwork agency a controller if it conducts the interviewing?

A.

This would depend upon what if any other role the fieldwork agency has played in the project.  If the fieldwork agency carried out the interviewing alone and did not influence recruitment or guide/questionnaire design then they are likely to be a processor however if they have influenced the way in which the work is done then they are more likely to be a controller.  Only if an agency is applying technical expertise to the selection, processing and interpretation of personal data they would be data controllers (e.g. making a number of decisions about who, what, where, when and how personal data is processed as part of the project including the application of MR methodologies and design of any questions/interviews).

Q. Who would be responsible for a regulation breach if there are two controllers?

A.

Contracts should detail the respective responsibilities of joint controllers, the controller liable for a regulation breach will be the controller responsible for that part of the activity that led to the breach.

Q. Does the size of an organisation determine the need to appoint a Data Protection Officer (DPO)?

A.

No. There was talk of this being the case at one time before the finalisation of the Regulation but this did not make it into the final draft of the GDPR.  Data controllers and data processors must appoint a Data Protection Officer (DPO) if - as a core activity - you carry out large scale systematic monitoring of individuals or large scale processing of special categories of data.

Risk and Privacy Impact Assessment

Q. Is a Data Protection Impact Assessment (DPIA) required for data processing authorized before May 2018?

A.

Current data protection guidance advocates a risk-based approach including risk assessment but conducting a PIA is not a legal requirement of the Data Protection Act.  The GDPR formalises the need for DPIAs and makes it a requirement in some cases.  See further information below.

If after 25 May 2018 you continue to rely on risk assessments and DPIAs carried out before this date, you must make sure that these are GDPR compliant.  If they are not, you must update your risk assessments and DPIAs.  We advise you to update your risk assessment processes and tools that you will rely on after 25 May 2018 as soon as practical if they aren’t GDPR compliant.

Taken from the BHBIA’s ‘Risk and Privacy Impact Assessment’ guidelines, within the Preparing for the General Data Protection Regulation series, available on the BHBIA website.

DPIAs MUST be carried out when:

  • Large scale processing of personal data at regional, national or supranational level; that affects a large number of individuals; and involves a high risk to their rights and freedoms
  • Large scale processing of special categories of data (previously referred to as sensitive data)
  • Using new technologies and the processing is likely to result in a high risk to rights and freedoms
  • Automated processing, including profiling, that results in automated decisions having legal effects or similar significant impacts on the data subjects
  • The GDPR defines profiling as any form of automated processing intended to evaluate certain personal aspects of an individual (e.g. personalised targeted direct mailings), profiling is not the same as market research segmentation.
  • Systematic monitoring of a publicly accessible area on a large scale.

Q. What triggers the need for a DPIA?

A.

DPIAs SHOULD be carried out when:

  • The data processing might result in a high risk to the rights and freedoms of the individuals
  • If you are not sure whether your data processing is high or low risk, you need to carry out a DPIA – if in doubt, carry one out!

DPIAs MUST be carried out when:

  • Large scale processing of personal data at regional, national or supranational level; that affects a large number of individuals; and involves a high risk to their rights and freedoms
  • Large scale processing of special categories of data (previously referred to as sensitive data)
  • Using new technologies and the processing is likely to result in a high risk to rights and freedoms
  • Automated processing, including profiling, that results in automated decisions having legal effects or similar significant impacts on the data subjects
  • The GDPR defines profiling as any form of automated processing intended to evaluate certain personal aspects of an individual (e.g. personalised targeted direct mailings), profiling is not the same as market research segmentation.
  • Systematic monitoring of a publicly accessible area on a large scale.

Notification and contracts

Q. We are already registered with the ICO as a data controller – do we need to now specifically notify them under GDPR requirements?

A.

The new data protection fee replaces the requirement to ‘notify’ (or register), which is in the Data Protection Act 1998 (the 1998 Act).  Although the 2018 Regulations come into effect on 25 May 2018, this doesn’t mean everyone has to pay the new fee on that date. Controllers who have a current registration (or notification) under the 1998 Act do not have to pay the new fee until that registration has expired.

Q. If you have a master data processing agreement with a client that defines them as a data controller, could you have a project-specific variation on this – i.e. could they take a different position for an individual project?

A.

Yes, if there was specific circumstance that justified departing from the agreement.  Ideally the master agreement would include a clause that catered for exceptions.

Q. How do we demonstrate that sub-contractors are working within the GDPR rules?

A.

Sub-contractors/processors that process personal data on behalf of a data controller or processor must be under contract.  Their responsibilities should be detailed in the contract.  The option to audit the policies and processes of sub-processors may be included in the contract.  Sub-contractors like all other parties in the data processing chain are accountable and part of that means keeping records of their data processing activities.

Q. How do we manage responsibilities for data gathered by third parties or passed to third parties?

A.

Third party responsibilities should be defined and managed through contracts or third party agreements.  For further details on the use of third party contracts please see the BHBIA’s Guidelines for the Use of Secondary Data - Sharing of and External Use of Purchased Data Assets, available on the BHBIA website.

Q. If the commissioning client company does not provide a contract, what should we do?

A.

The GDPR does not state which party is responsible for providing the contract, it only states that there has to be a contract in place between controller & processor or between processor & processor.  The contract does have to be signed off in some way by both parties.

Q. Do you need to register yourself as a data controller and/or processor with the ICO if you are a freelancer?

A.

The current notification requirements are as follows:

Most organisations that process personal data must notify the ICO of certain details about that processing. However, the Act provides exemptions from notification for:

  • organisations that process personal data only for:
  • staff administration (including payroll);
  • advertising, marketing and public relations (in connection with their own business activity); and
  • accounts and records;
  • some not-for-profit organisations;
  • organisations that process personal data only for maintaining a public register;
  • organisations that do not process personal information on computer.

Exemptions are also available in relation to:

  • national security and the armed forces;
  • personal data that is processed only for research, statistical or historical purposes;

https://ico.org.uk/for-organisations/guide-to-data-protection/exemptions/

Under GDPR, this is what we know at present about new notification requirements:

When the new data protection legislation/GDPR comes into effect next year there will no longer be a requirement to notify the ICO in the same way.  However, a provision in the Digital Economy Act means it will remain a legal requirement for data controllers to pay the ICO a data protection fee.

The current draft proposal is a three tier system, which will differentiate between small and big organisations and also how much personal data an organisation is processing.  The aim is to keep the system as simple as possible, so that organisations will easily be able to categorise themselves.

https://iconewsblog.org.uk/2017/10/05/ico-fee-and-registration-changes-next-year/

The ICO expects to know more by the end of 2018 and will communicate further when they do.

Q. What terms/changes might we need to make to our contracts?

A.

Expect contracts under GDPR to include:

  • Details of specific processing - subject matter, duration, nature, purpose, type of data & type of data subjects
  • Risk & DPIAs requirements
  • Information necessary to demonstrate compliance
  • Safeguards - technical & organizational incl. confidentiality
  • Retention, return, deletion requirements
  • Data breach notification
  • Inspection & auditing requirements
  • Liabilities, assurances & indemnities for legal action
  • Respective responsibilities of joint controllers

Data processors need the data controller’s written consent to appoint sub-processors e.g. freelancers – they must adhere to GDPR too, and processor’s must have contracts with named sub-processors too.

GDPR is not clear about whether the obligation to include processor clauses in contracts falls on the controller, the processor or both.  The GDPR simply says these clauses must be included - so it is possible that both the controller and the processor must ensure they are included.

Q. Could GDPR requirements be detailed in a study protocol rather than the legal contract with the client if the contract refers to the protocol?

A.

This would have to be established by lawyers/legal advice.

Legal bases and respondent rights

Q. How should you handle the situation in which a respondent is completing a questionnaire on behalf of other family members – i.e. they are supplying others’ personal data?

A.

You need a lawful basis for collecting personal data. It may be that in this case you could combine consent (for the individual filling in the survey) with legitimate interest (for the other household members). You would need a legitimate interest assessment to document this – e.g. potentially this could include the argument that consent is not practical in this scenario, but this would then prelude the collection of any special category data about other household members.

Q. Is it the expectation that when passing on DFU call data, the client will have obtained consent for this data to be passed to the agency for detail follow up purposes?

A.

Passing on data does require a lawful basis. Consent is a potential basis (note: explicit consent is not necessary as this is not special category data), but in most cases it is more likely that the client will rely on legitimate interests. Generally clients are using this basis for processing CRM data, and it’s logical that this would also apply to transferring data for MR purposes. It would be necessary for the pharma company to do a legitimate interest assessment to justify this – and we recommend that agencies ask the client to confirm in writing their legal basis before they transfer the data.

Q. Does verbal consent need to be audio recorded?

A.

No, verbal consent does not have to be audio-recorded.  The ICO advises within its guidance that if consent is given orally, you should keep a note of this made at the time of the conversation - it doesn’t need to be a full record of the conversation.

Q. What must we do if an individual makes a subject access request and wants to see film footage they are included in?

A.

Under the GDPR, individuals will have the right to obtain:

  • confirmation that their data is being processed
  • access to their personal data
  • other supplementary information – this largely corresponds to the information that should be provided in a privacy notice.

The right of access allows individuals to be aware of and verify the lawfulness of the processing.  You must provide a copy of the information free of charge.  However, you can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive. Information must be provided without delay and at the latest within one month of receipt.  You must verify the identity of the person making the request, using ‘reasonable means’.  In providing access you should only allow access to the individual’s personal data and not that of other individuals’ which may mean that the material has to be edited before access is provided.

Q. How valid is 'informed' consent when the terms of consent are extensive?

A.

Consent has to be clear, specific and granular but as the same time it also has to be concise, these requirements may conflict at times as we struggle to make sure all the information that is required to support informed consent is difficult to deliver clearly and concisely.  The ICO have suggested that:

“You must clearly explain to people what they are consenting to in a way they can easily understand. The request for consent needs to be prominent, concise, separate from other terms and conditions, and in plain language. 
If the request for consent is vague, sweeping or difficult to understand, then it will be invalid. In particular, language likely to confuse – for example, the use of double negatives or inconsistent language – will invalidate consent.”

Q. Is consent needed to store data that is publicly available?

A.

No, assuming that no other (non-publicly available) data are added to it.

Q. What is the difference between asking not to be contacted and asking for your personal data to be erased?

A.

Under GDPR individuals have a new right to erasure, also known as the right to be forgotten.  This gives the individual the right to request the deletion or removal of personal data where there is no compelling reason for its continued processing.

Individuals also have a right to restrict processing of personal data.  When processing is restricted, you are permitted to store the personal data, but not further process it.  You can retain just enough information about the individual to ensure that the restriction is respected in future. 

If an individual asks not to be contacted for the purpose of market research they are exercising their right to restrict processing (not their right to erasure).  It is important not to confuse the two different rights.  Quite clearly if you are going to observe a request not to be contacted for the purposes of market research you will need to store some personal data to do this.

If an individual specifically asks that their personal data is deleted and that they are not contacted again, the conflict between the two requests should be pointed out and their consent to hold their personal data for the purpose of making sure they are not contacted for market research should be requested.

Lists of individuals that should not be contacted may be passed on to sub-contractors, the legal basis for this processing might be consent or legitimate interests.

Data breaches

Q. Can you give some examples of how companies might fail in terms of their accountabilities?

A.

The accountability principle requires that you show how you comply with GDPR requirements, so failure to define responsibilities in contracts, to record data processing activities such as consent processes and agreements, to have a breach handling process in place would all be examples of accountability failings.

Data security, retention and destruction, incl. record keeping

Q. What if a company employee travels abroad with their laptop containing personal data – for example on holiday?

A.

If the company is a data controller or data processor or the laptop held the personal data of data subjects, GDPR requirements must be met.

Q. What is the situation with respect to organisations holding data on back-up servers and GDPR requirements (e.g. requirement to name them)?

A.

If the company hosting the backed up data does not have access to it – because the agency holds the key to accessing the data, then they would not be considered to be ‘processing’ the data.

Q. For how long should AE reports be stored by pharma companies after being reported by agencies?

A.

There is no specific guidance on the length of time records of consent should be stored for, the same rule applies to retention of all personal data – it should be stored for as long as it is necessary (until the purpose for which it is held is redundant).

Q. Would a small business be expected to maintain the same standard of written documentation as a large enterprise?

A.

If you have 250 or more employees, you must document all your processing activities.  There is a limited exemption for small and medium-sized organisations.  If you have less than 250 employees, you only need to document processing activities that:

  • Are not occasional; or
  • Could result in a risk to the rights and freedoms of individuals; or
  • Involve the processing of special categories of data or criminal conviction and offence data.

The Article 29 Working Party (WP29) is currently considering the scope of the exemption from documentation of processing activities for small and medium-sized organisations and once they have issued guidance then the BHBIA will pass this on to its members.

Q. Are google password protected spreadsheets compliant?

A.

The BHBIA cannot provide advice on specific hardware or software solutions.  The security measures you put in place should take into account the:

  • Threats to, value and sensitivity of the data
  • Damage that could be caused to individuals if there is a security breach
  • State of the art, the costs of implementation and the nature, scope, context and purposes of the data processing.

Consequently there is no one set of security measures or solutions that will suit all situations.  For further general guidance on data security considerations within its GDPR Update on Data Security including Breaches and International Transfers, this is available on the BHBIA website.

Q. Can you tell us about the hardware/software infrastructure requirements for secure data storage?

A.

The BHBIA has provided some general guidance on data security considerations within its GDPR Update on Data Security including Breaches and International Transfers, this is available on the BHBIA website.

Q. How long does consent need to be kept for?

A.

There is no specific guidance on the length of time records of consent should be stored for but the same rule applies to retention of all personal data – it should be stored for as long as is necessary (until the purpose for which it is held is redundant).

Q. Data retention period should be 'appropriate', how long is appropriate?

A.

The GDPR does not provide any guidance on how long is appropriate nor are data protection regulators likely to issue any.  Personal data should not be held for longer than is necessary, the period of time should be agreed between the data controller and data processor.   This is not a new requirement and should apply to all stored personal data (i.e. that stored pre and post GDPR).

Q. How do we reconcile the need to hold personal data for a minimal time with the need to hold source data for PV purposes for 7 to 10 years?

A.

The need to hold personal data must be justified, it must be necessary. If the reason is for PV purposes this should be explained, justified, agreed and recorded.

Q. With regards to deleting data, what if the data is in the 'cloud'?

A.

When personal data must be destroyed, all copies, in all forms, in all storage facilities (including the cloud) must be destroyed.

Global projects and transferring data overseas

Q. When the personal data of a non-EU citizen is processed by an EU based controller or processor, is the non-EU citizen covered by GDPR and do they have data subject rights?

A.

If the controller or processor is established in the EU then they must meet GDPR requirements even if the data subject is a non-EU citizen based outside the EU.  So if the personal data of a non-EU based individual is processed by an organisation based within the EU, the individual has data protection rights.

Q. If we have to transfer personal data out of the EU, what information must we give the data subject?

A.

Data subjects must be provided with details of any data transfer to countries without adequate data protection (generally countries outside the EEA).  Privacy notices should include details of any transfer to a third country, the safeguards, means by which to obtain a copy of them and where they have been made available.

Q. For global projects is it the global team's responsibility to ensure GDPR compliance or the EU individual affiliates?

A.

It is the organisation that is either a data controller or a data processor (not an individual office or team).  The commissioning client company is always a data controller and therefore responsible for demonstrating compliance with GDPR.  It is up to the organisation to decide which office/team is accountable for compliance.

Q. Does the GDPR affect organisations outside the EU?

A.

The GDPR applies to processing of personal data by an organisation:

Established within the EU, or

Not established within the EU where the processing relates to:

  • Offering goods or services, irrespective of whether a payment is required, to individuals within the EU, or
  • Monitoring the behaviour of individuals to the extent that behaviour takes place within the EU

Q. Who needs to approve transfer of data outside of EEA and how?

A.

Data subjects must be informed and agree to their personal data being transferred overseas.   The data controller would need to approve any transfers of data overseas by the data processor or sub-processors (this is likely to be agreed in the contract).  If data is transferred outside of the EEA suitable measures must be in place to guarantee data security e.g. EU model clauses.  You may only transfer data (to a third party or overseas) once it has been adequately protected.

The BHBIA’s Legal & Ethical Guidelines currently state that:

You must not transfer personal data outside the EEA unless there are adequate data protection measures in place. However the EU Commission provides a list of countries or territories providing adequate protection for data subjects in connection with the processing of their personal data, see the European Commission’s data protection website at: https://ico.org.uk/for-organisations/guide-to-data-protection/principle-8-international/

If you have to transfer personal data to counties outside the EEA or that are not listed as having adequate protection you may consider other means of guaranteeing the personal data you transfer is adequately protected by:

  • Using other legal grounds, such as unambiguous and explicit consent from individuals for the transfer of their personal data for processing in the US
  • Reviewing and if necessary revising contracts and consider using Model Contract Clauses (as approved by the European Commission)
  • Possibly in the longer term implementing binding corporate rules (BCR’s) for transfers within a corporate Group, although BCR’s are time consuming and can be costly.

Application to specific scenarios

Q. In social media research/scraping, if you have identifiable pseudonyms that can be traced back, what the requirements under GDPR?

A.

Identifiable pseudonyms are personal data so GDPR requirements apply. All the same rules apply to social media as to any other MR medium – so to be GDPR compliant you need to provide all the required information to the data subject at the first appropriate opportunity (or check if it’s already in the social media site’s T&Cs).

Q. What are the implications of GDPR for adverse event reporting?

A.

The GDPR will impact the processing of personal data for adverse event reporting in the same way that it impacts data processing for market research – the same requirements will apply.

Q. Does GDPR apply to projects involving social media listening?

A.

Yes, the GDPR will apply to all forms of data processing, all medium and all sources of data.

Q. Will client companies be able to observe non-anonymised fieldwork in person without their organisation being named on the consent form?

A.

This is under discussion with the ICO at present, the GDPR requires that when personal data are processed, those organisations that will have access to it are named in order to secure the data subject’s informed consent (to allow the access).  Current ICO advice (on the interpretation of the UK Data Protection Act) allows us to withhold the names of the recipient company if there is a genuine threat of bias or disguised promotion.  The demands of the GDPR are more stringent and this advice may not stand.

Q. For observation of interviews - respondent consent - what exactly does 'include recipients' mean? How much detail is needed?

A.

The GDPR requires that when personal data are processed, those organisations that will have access to it are named in order to secure informed consent (to allow the access).  The name of the organisation should be provided as well as the roles of the individuals/teams that will have access e.g. market researchers, marketing, drug safety personnel.  Individuals do not have to be named.

Q. When transcribing or translating video recorded interviews, do we need to check with the commissioning MR agency that the participant has given consent for a third party processor to access their data?

A.

Yes, valid consent must be specific, it must include the data controller’s identity and any third parties who will be relying on consent.

Secondary data and profiling

Q. What are the implications of the GDPR for the processing of secondary data that includes personal data?

A.

Broadly speaking GDPR requirements are the same for the processing of secondary data for data analytics as for primary data for market research.  The BHBIA recommends that those involved in data analytics processing secondary data:

  • Audit systems and work out where you are processing personal data
  • Risk assess your processes and if necessary complete privacy impact assessments
  • Review contracts with third party controllers / processors and ensure there is adequate clarity regarding roles and expectations

For further detail and specific secondary data examples please see the ‘Implications of GDPR For Data Analytics’ presentation prepared and delivered by Matt Beckett on the 7 September at the BHBIA GDPR Seminar Building the GDPR into every stage of your project and available to members on the BHBIA website - click here

Q. It is possible to ‘profile’ a HCP for targeting (e.g. on the basis of their prescribing behaviour) and use legitimate interests?

A.

Legitimate interests can be used as the legal basis for the use or secondary use of personal data such as targeting.  Whether this is appropriate or not will depend upon:

  • Whether the processing is necessary and proportionate (this in turn must take into account whether any other legal basis is available)
  • Balancing the subject’s rights, freedoms and interests with the controller’s interests
  • Whether the purpose of the data processing (in our case MR) could be reasonably expected by the data subject
  • Having a privacy notice stating the purpose/legitimate interest, which in our case is MR.

Preparing for GDPR

Q. How will consent forms have to change, post GDPR?

A.

Both the way in which consent is secured and the terms required to secure consent will change under GDPR.  The GDPR definition of consent is similar to but a little more detailed than the Data Protection Directive definition.  Consent under GDPR refers to:
“any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
For further details on the ‘terms and conditions’ of consent please see the BHBIA’s guidance GDPR – Legal Grounds for Data Processing, this is available on the BHBIA website.

Q. Does meeting ISO27001 cover GDPR requirements?

A.

At present we do not have an answer to this question (the BHBIA’s Legal & Ethical Guidelines are not linked to ISO27001) but we will try to answer it, although the answer may depend upon further interpretation of GDPR requirements, Data Protection Authorities are still in the process of issuing guidance on the interpretation of the GDPR.

Q. What are the implications for historic data held on file and to data in use e.g. lists?

A.

Personal data held on file or in use after 25 May 2018 must meet GDPR requirements.

Q. What should personal members/freelancers (and small companies) be doing to prepare for GDPR?

A.

Broadly speaking the GDPR will affect individuals processing personal data in largely the same way that it impacts organisations.  There may be some differences in terms of record keeping (see the notes below) and risk assessment requirements (if large scale processing of personal data is not undertaken) but on the whole the requirements do not vary with the size of the organisation.

The BHBIA advises personal members to:

  • Understand your role and audit the data processing you do
  • Put the necessary processes in place
  • Document what you do however if your organisation has less than 250 employees you are required to maintain records of activities related to higher risk processing although contractual requirements may require all suppliers in the chain to keep detailed records – do check!

The first step is to understand or review your current position in order to know what it is you need to change in order to be GDPR ready.

Review or audit what data processing you do:

  • Your role
  • Source and types of data
  • Type and purpose of processing
  • High risk data processing
  • Your legal basis for processing
  • Record keeping
  • Sharing personal data and transferring it overseas
  • Access, storage and security.

Once you’ve done this you’re in a position to assess the risk associated with your data processing which will mean carrying put Privacy Impact Assessments for higher risk activities, and then you’re in a position to think about what you will have to do to mitigate these risks.

You may have identified some gaps in your policies and procedures that need to be filled e.g. your security systems and record keeping may not be up to GDPR standards.

You should now be in a position to develop a GDPR action plan detailing the changes you need to make to be GDPR ready.  You may need to prioritise what you do according to risk.

The changes you may have to put into place could include:

  • Amending contracts / MSA templates
  • Updating policies and processes e.g. data retention, data breach
  • Updating consent statements and privacy notices
  • Building privacy by design and default into all new projects.

The ICO has made available a series resources to help small organisations get to grips with the GDPR; these include:

In addition, the ICO has a series of data protection guidance resources available for small businesses (these relate to the Data Protection Act rather than the GDPR but still provide very useful information):

Information from the BHBIA

Q. What are your recommendations for independent members/small companies taking out indemnity insurance to cover any possible GDPR related problems?

A.

The BHBIA cannot provide any guidance on the type or limits of indemnity insurance that organisations could consider.  We can only advise that Contractual Liability & Indemnity Provisions are considered.  Legal advice on this issue may be required.

Q. Are there any templates for e.g. GDPR-ready consents etc.?

A.

The BHBIA will be updating the Legal and Ethical Guidelines to take GDPR requirements into account in spring this year, this will include the pro formas in the appendices.

Q. In the light of GDPR, will the BHBIA be redrafting the relevant consent forms etc. supplied in the appendices of the BHBIA Guidelines?

A.

The BHBIA is in the process of updating the Legal and Ethical Guidelines to take GDPR requirements into account.

In the meantime we have provided a new set of GDPR-ready proformas

Q. Will the BHBIA be providing a GDPR checklist for its members before GDPR becomes effective to ensure we are all compliant?

A.

The BHBIA is providing a series of guides/updates on GDPR – some of which are already available on the website - click here.

The final format e.g. checklist is dependent on the nature of the information to be communicated.

Q. Is there someone at the BHBIA who could review our GDPR plans to make sure they cover everything?

A.

We are sorry, but the BHBIA does not have the resource to offer individual review of policies/documents/plans in relation to GDPR (in the same way that we cannot offer individual review of market research materials or any other documents).

For GDPR guidance, please refer to the online resources in the Guidelines > GDPR Upates section of the website. We also recommend that if a legal opinion is required you consult your in-house legal team if you have one, or an external lawyer if not.

Of course, if you have a specific query, you can send it in via the Guidelines advisory service in the usual way (BHBIA members only) and we will do our best to provide a response.

Q. Where are EphMRA on this topic?

A.

EphMRA are providing their members with GDPR support and information, details of their initiatives are available on the EphMRA website - www.ephmra.org/

Keeping you informed about changes in the UK legal and ethical environment

Keeping you informed about changes in the UK legal and ethical environment

Cookies required

To use this functionality please enable cookies. Find out more about our cookie policy.

  Cookies are currently off.