2019年 4月 1日
EMERGO BY UL SUMMARY OF KEY POINTS:
Following Emergo by UL’s recent webinar on the European Union’s General Data Protection Regulation (GDPR) and human factors studies for medical devices, we examine key GDPR compliance issues human factors researchers must address to avoid steep penalties. The webinar was presented by Allison Strochlic and Alexandria Trombley, Research Director and Human Factors Specialist, respectively, at Emergo by UL’s Human Factors Research & Design (HFR&D) division, as well as two legal experts from Sidley Austin, Geraldine Scali and Kate Heinzelman.
Reflecting some key takeaways from the webinar, four high-level items human factors researchers should pay careful consideration to in terms of GDPR compliance include:
Establishing contracts to clarify which party will serve as the data controller, as well as which party—or parties—will serve as the data processor(s), is a crucial early step to ensure GDPR compliance. However, defining these roles and responsibilities in accordance with GDPR requirements may not be a clear-cut process, in which case legal support might be required to make these determinations. Designating the data controller and processor roles impacts each party’s responsibilities from that point forward.
Proper documentation and rationalization pertaining to data collection and management practices are essential to comply with the GDPR. Data controllers should ensure that they properly account for all decisions regarding how they and the data processor will collect, process, and protect personal and sensitive data from and about study participants (or “data subjects” per the GDPR). Proper documentation also facilitates agreement among all stakeholders with the selected approaches.
Human factors researchers must ensure that study participants are notified of how their data will be collected, processed, and protected. They must also inform participants of their rights to access and modify their data. The privacy policy and informed consent form are commonly used for this purpose, and it’s key that the study participants sign off your approaches and practices via these forms.
Finally, human factors researchers may be wondering to what extent, if any, they should comply with the GDPR if they are not conducting studies in Europe. Even if you’re not conducting research in the EU with EU residents, you might need to comply with the GDPR. For example, if you are conducting a study in the US, but you and/or the study sponsor are offering goods and services to people in the EU, or monitoring their behavior in any way, you might be subject to the GDPR. As such, researchers might be well-served to develop best practices that comply with the GDPR for any human factors studies involving collecting and analyzing personal and sensitive data, regardless of where such activities occur.