Frequently Asked Questions Regarding the EU General Data Protection Regulation (GDPR)
Q: What is the GDPR?
A: GDPR stands for General Data Protection Regulation. It is a European Union Regulation, effective starting May 25, 2018, designed to ensure protection of personal data and the rights of individuals across EU member states. GDPR replaces the EU Data Protection Directive of 1995 and The UK Data Protection Act of 1998.
Q: Does GDPR apply to you?
A: GDPR applies to anyone controlling or processing personal data of individuals residing in the EU when the data is accessed. Thus, GDPR applies to anyone conducting clinical research within the EU. For example, if you are a U.S. company, and you have a research site in the EU, GDPR applies to you.
Q: What is OpenClinica’s role under GDPR?
A: GDPR defines the roles of data controller, and data processor. OpenClinica works primarily as a data processor for our customers (who have the role of controller).
Q: What commitments does OpenClinica make with regard to the GDPR?
A: The GDPR requires that controllers (such as customers using OpenClinica’s software) only use processors (such as OpenClinica) that provide sufficient guarantees to meet key stipulations of the GDPR. OpenClinica has taken a number of steps to provide these guarantees. We are 100% committed to our customers’ success and the protection of their data, which is why you can count on our commitment to GDPR compliance.
Q: Is OpenClinica Privacy Shield certified?
A: Yes. The EU-U.S. Privacy Shield Framework was designed by the U.S. Department of Commerce and European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce. The Privacy Shield Framework provides a set of robust and enforceable protections for the personal data of EU individuals.
Q: How does OpenClinica help me comply with GDPR?
A: OpenClinica has numerous policies, procedures, and business practices which are aligned to support GDPR, as well as data privacy and security in general. OpenClinica is happy to support our customers as part of their Data Protection Impact Assessment (DPIA). One of the best ways we are able to help our customers who are subject to the GDPR comply with the regulation, is by entering into a data processing agreement (DPA). A DPA creates a clear and specific contractual framework between OpenClinica and our customers with regards to GDPR.
Q: What are OpenClinica’s other compliance offerings?
A: In addition to GDPR, OpenClinica is committed to helping our customers meet other regulatory compliance requirements, including ICH GCP, 21 CFR Part 11, and HIPAA. We provide a variety of tools and information resources to help demonstrate compliance, including SOPs, security documentation, and validation resources (SRS, test scripts, traceability matrices).