The future of EU privacy regulations on biobanks and iPSC research

A key feature of the banking of human biomaterials for research in the field of regenerative medicine is the collection of associated information and data: technical details regarding cells and tissue samples, personal information about sample donors, and research datasets generated from the use of human bioresources. Balancing the need to protect the privacy of individual donors or research participants with the facilitation of effective research is an ongoing challenge. The new EU General Data Protection Regulation, while aiming to provide better safeguards for individuals’ personal data may also have significant implications for data protection practices of researchers, industry, and biobanks around the globe.

What background and points are discussed?

The writers explain some of the requirements of the new GDPR that will affect iPSC research and biobanks. The new rules for explicit and detailed consent will require donors to sign several individual statements for the collection, manipulation, use, storage and distribution of cell samples and personal details. The GDPR requires that organisations that have personal data from EU citizens must follow European law, no matter where the data is stored or used. Also, organisations and researchers using personal data must keep records of who holds the data, how it is processed, what types of data are held, who has been given the data, for how long and how the data has been kept safe. Organisations holding large amounts of personal data or with more than 250 employees will be required to have a ‘Data Protection Officer’ (DPO) to make sure everything is done correctly and to keep records up to date. The new law means that only data that is necessary for the task should be collected and it should only be held for a short time. Transfer of cell samples and data to countries that have not ratified the GDPR is prohibited, unless an exception by a relevant Supervisory Authority is made. This will only happen if a foreign country shows that they have the same standard of rules to protect personal privacy and data.