Personal data privacy has taken another evolutionary step with the release of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons, the General Data Protection Regulation (GDPR). If you work for an organization that is not based in the EU, you may or may not be aware of the GDPR. The GDPR came into effect on May 25, 2018.
In this article, we will discuss the GDPR, whether it’s applicable to your clinical trial and if it is, what are the five considerations of which non-EU-based sponsors should be to make sure their studies are compliant with GDPR requirements.
First, before we move into our top 5, let’s clarify the most important foundational point about clinical trials and GDPR – applicability.
Is the GDPR applicable to my clinical trial?
Answer: If your clinical trial collects personal data from citizens within the European Economic Area (EEA), then yes, the GDPR applies to your study. To be clear personal data can be from patients, investigators, or even from the CRO employees. We will expand on this list further below.
Please note, the application of the GDPR is relevant to both your company at the corporate level (think website and contact management system as an example), and at the clinical trial level. For this article, we will focus our conversation only on the clinical trial aspects of the GDPR.
In the scenario of clinical trials, we are dealing with the processing of personal data from several types of data subjects. One of the main categories of personal data processed for scientific or research purposes is considered special categories of personal data, specifically health data of clinical trial patients. However, there are other types of personal data that should not be disregarded, such as data of investigators, site staff, CRO, vendor staff, Sponsor personnel, and Committee Members so on, which are all covered by the GDPR.
Getting your GDPR house in order…
It is important that the various organizations involved in a clinical trial understand how they will be affected by the GDPR and that they establish their roles and responsibilities at an early stage, particularly before the processing of data commences. This will help to ensure that there are no gaps in an organization’s responsibilities. A specific emphasis on responsibilities would be on a non-EU Sponsor conducting clinical trials in the EU.
A very useful tool for this assessment would be developing a data flow map that would cover all involved parties and data subjects, as well as all transfers and data flows of personal data for a specific data subject, and provide an overview of the main requirements. Below we will cover the top five (5) considerations a non-EU based sponsor should be aware of to achieve compliance with the GDPR.
The top 5 considerations are…
1. Incorporation of Adequate GDPR Language in Contracts
The parties must ensure that adequate data protection terms are included in contracts between the different roles and contracting parties:
- Sponsor – CROs (Controller – Processor)
- Sponsor – contracted vendors (Controller – Processor)
- CRO – contracted vendors (Processor – Sub-Processor)
- vendors – contracted vendors (Processor – Sub-Processor)
- CRO/Sponsor – sites (Processor or Controller – Processor or Sub-Processor)
2. Safeguards for data transfers
Where personal data is transferred outside the European Union (EU) and European Economic Area (EEA) to third-party countries or international organizations, the parties involved need to ensure that adequate safeguards for data transfers are in place, unless the country or international organization to which the data is being transferred has received an adequacy decision from the European Commission.
These “safeguards” may include a legally binding and enforceable instrument between public authorities or bodies, binding corporate rules, standard data protection clauses adopted by the Commission or a supervisory authority, an approved code of conduct, etc. The most commonly used safeguards for data transfers are standard data protection clauses adopted by the European Commission, which still remains a valid transfer mechanism as per the European Court of Justice following the invalidation of Privacy Shield.
3. Adequate information to data subjects
The obligation of the Controller (Sponsor) to provide adequate information to data subjects when collecting personal data per Articles 13 and 14 of the GDPR does not refer only to the patients participating in the trial and the relevant Informed Consent Form. It goes beyond, to include all data subjects whose personal data is being processed within a trial, such as investigators and site staff, CRO, vendor, Sponsor employees, etc. Providing adequate privacy notices to all data subjects is a requirement of the GDPR. An example would be providing adequate privacy notices to site staff during feasibility and site initiation, as well as including relevant privacy information in contracts with contractors. Our industry is still struggling with this and is slowly working to incorporate GDPR language as standard practice in the various forms of clinical trial documentation.
4. EU Representative for GDPR
EU representative for GDPR is a new legal requirement introduced by Article 27 of the GDPR for Sponsors that are based outside the European Union (EU). This may be a different service and individual than the one providing the EU Legal Representative service for clinical trials required by the Clinical Trials Regulation 536/2014. This is an important requirement that should not be overlooked by any non-EU based Sponsor. If you are collecting personal data from EU / EEA citizens, does your company have an EU Representative for GDPR? If you do not know the answer to this question, we recommend you find out.
5. GDPR adequate security measures in place
Implementing appropriate technical and organizational measures to ensure and demonstrate that processing is performed in accordance with the GDPR is one of the main responsibilities of any Sponsor. The responsibility of the Sponsor goes further to include the assurance of appropriate technical and organizational measures by any party contracted by the Sponsor to process data on its behalf, in order to ensure the protection of the rights of the data subject. This may be achieved through adequate contractual wording and ongoing audits of the contracted parties in and outside of the EU.
In Conclusion:
Does it matter if my current study enrolling EU/EEA citizens is compliant with the GDPR?
Yes, yes it does.
If “Controllers” or “Processors” are found to be out of compliance with GDPR, it can lead to risks of the rights and freedoms of data subjects and your company can be exposed to fines by EU authorities.
First, find out if GDPR is applicable to your clinical trial (see our foundational point from earlier). Second, walk through the 5 considerations we provided in this article. Finally, if needed, hire an organization to guide you down the GDPR compliance pathway. Allucent can help. If you need assistance, contact our team.
Every clinical trial your organization runs is different and how the GDPR applies to your specific study, taking into account its territorial and material scopes, and ensuring coverage of the relevant GDPR requirements by your organization and that of its contracted parties, is paramount to your company’s compliance with GDPR.