GDPR supports biomedical research, says Spanish data watchdog

In a new report, La Agencia Española de Protección de Datos (AEPD) said (8-page / 159KB PDF) the existing regulatory framework in force in Spain relating to the processing of data for biomedical research purposes would not need to be altered because of the introduction of the GDPR, which will apply from 25 May.

Madrid-based lawyer Paloma Bru of Pinsent Masons, the law firm behind Out-Law.com, said the "very extensive" biomedical research industry in Spain had been concerned that the GDPR would negatively impact on their activities. As a result, it will welcome the AEPD's report, she said.

"The industry's concerns were around some of the extra rights that the GDPR provides to data subjects and the additional security measures that the Regulation requires are put in place to protect personal data," Bru said.

"Health data, critical for biomedical research, is considered to be a special category of information under the GDPR, and this means that, generally unless other public interest reasons apply, the processing of personal data revealing information about someone's health is prohibited unless the data subject has given explicit consent to the processing," she said.

However, Bru said that the AEPD confirmed that the GDPR, taken together with the new Organic Law on Data Protection being introduced in Spain, provides a more flexible interpretation of the scope that can be given to the consent given by the data subject, and builds on exiting regulations governing biomedical research.

For consent to be valid under the GDPR, it must be freely given, specific, informed and an unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Despite the AEPD's positive report, Bru said that there were a number of actions that biomedical research bodies should take to ensure they comply with the GDPR.

"The organisations should update the information to be provided to the data subject where personal data are collected, as the GDPR extends the information which needs to be provided in those circumstances," Bru said. "They should also check that their consent mechanisms comply with the GDPR's requirements."

Bru also said that it is mandatory for biomedical researchers to assess whether they need to carry out a data protection impact assessment for new data processing operations they intend to engage in. In many circumstances such an assessment will be required, she said.

"In this context, organisations should take into account the nature, scope, context and purposes of the processing, and whether they are likely to result in a high risk to the rights and freedoms of the data subjects," Bru said.

Each organisation should also establish a data breach incident response plan to ensure they can comply with the GDPR's new data breach notification rules, and they will also face a duty to maintain records regarding their processing activities, she said.

Bru said biomedical research bodies should also review their data processing agreements to ensure that they reflect the GDPR's new rules and that they should also review their data security obligations under the GDPR.

The specific technical and organisational security measures that the organisations will need to implement to safeguard the personal data they process will depend on the level of risk to the rights and freedoms of individuals associated with that processing, Bru said. Factors such as the available security solutions on the market and the costs of their implementation, as well as the nature, scope, context and purposes of processing, will all be relevant to that assessment, she said.

In some cases, biomedical research bodies may also be required to appoint a data protection officer, she said.