Unpicking the impact of the GDPR on genomic data

The collection and sharing of genomic data is integral to the continual development of genomic science and healthcare, but presents a particular challenge for data protection. Reconciling the two is vital if policymakers and regulators are to ensure that genomic science for healthcare continues to progress, whilst also safeguarding individuals’ privacy and rights.

The General Data Protection Regulation (GDPR), a comprehensive new data protection regime, governs all processing of personal data within the whole of the EU and EEA, as well as some forms of processing anywhere in the world. Since its early stages, the genomics community has highlighted the impacts the GDPR could have on medical research and practice. 

The scale of the challenge

Data protection of genomic data is complex: some genomic data confer sensitive information and may be used to identify individuals, but the vast majority of the genome is common to everyone. This is a dynamic situation, because genomic data can become more useful and reveal more as scientific understanding increases over time.

Generating and analysing genomic data through cutting-edge technology is no simple matter, but data protection raises a series of further challenges:

• When do genetic or genomic data count as ‘personal data’ governed by the GDPR?
• When and how does the GDPR apply to genomics research collaborations?
• On what basis can genomic data be lawfully processed for healthcare and research?
• How can data subject rights and obligations be fulfilled under the GDPR?
• What is required for lawful genomic data sharing within and outside the EU?
• What can be done to mitigate risks and adequately safeguard genomic data?

The answer to these questions always depends on the precise circumstances, but at present there is also a lack of consensus on what the GDPR actually requires.

Finding clarity

The central challenge for genomic healthcare and research is uncertainty and ambiguity about how this general Regulation, which is still in its infancy, applies to the specific context of genomic data. For some pressing questions there are already possible answers: 

• Not all genetic data will be ‘personal data’, but making this assessment involves consideration of the data, who may access them, the technical and organisational safeguards that are in place and what external information could be used to identify an individual in context
• ‘Pseudonymised data’ do not always have to remain ‘personal data’ if sufficiently safeguarded and de-identified
• Consent is unlikely to be the most appropriate legal basis for processing genomic data for healthcare or research in the UK because better alternatives are available for these purposes

A way ahead

Despite the ambiguity there is an opportunity for the genomics community, regulators and policymakers to work together and establish appropriate standards for genomic medicine and research.

In particular, sector-specific codes of conduct or certification mechanisms could be formally approved and relied on to demonstrate compliance with aspects of the GDPR including:

• Agreeing the technical methods that are sufficient to safeguard genomic data and the appropriate legal and organisational measures for controlling access for research or healthcare purposes
• Best practice for fulfilling data subject rights in the genomics context: for example, how to reconcile the rights of several individuals to ‘shared’ genomic data
• Adequate safeguards for the transfer of genomic data outside the EU or to international organisations

Developing codes or certifications will be challenging because they require broad agreement and in many cases approval at a European level. To try and reach consensus more quickly and to establish some level of certainty for genomic data processing under the GDPR, the genomics community should begin to consider: 

• A broad and sector wide self-regulatory code to establish and harmonise rules for genomic data
• Topic-specific or sub-sector codes and certification schemes that aim to crystallise best practice and obtain approval under the GDPR.

Resource for policymakers and the genomics community 

The Information Commissioner’s Office awarded the PHG Foundation a research grant to investigate how the GDPR impacts upon the field of genomics. The GDPR and genomic data report provides a detailed legal analysis of the many ways in which the GDPR impacts genomic healthcare and research, highlights areas for urgent attention, and makes recommendations for the genomics community, regulators and policy makers to maintain the flow of genomic data for healthcare and scientific research.