Clinical Trial GDPR Compliance: Key GDPR considerations often overlooked by non-EEA clinical trial sponsors

Compliance with the GDPR can be daunting if this is the first time you’ve planned a clinical trial in the EEA or UK. In addition to your other responsibilities as a clinical trial sponsor of initiating, managing and financing (or arranging the finance) of the trial, plus the medico-legal responsibility associated with its conduct, it is not surprising that some aspects of the GDPR are overlooked or are pushed further down the list of priorities. Hence many pharmaceutical and biotechnology SMEs outsource their data protection and privacy to a GDPR consultancy to ensure everything is covered.

This article offers an overview of the aspects of GDPR compliance often overlooked by non-EEA sponsors and explains how outsourcing can keep your data subjects’ personal data safe and keep your company on the right side of the law.

Who does the GDPR apply to?

Any company that collects and/or processes the data of any EU resident must comply with the GDPR; it is not limited to organisations within the borders of the EU/EEA. For example, companies across the United States that do business with EEA citizens, process personal data during activities within the EEA or employ people within the EEA are included in the law’s scope. Thus, a clinical trial sponsor based in the US, conducting clinical trials, employing staff directly or indirectly by contracting the services of Contract Research Organisations or Investigator sites within the EEA must abide by the GDPR.

Clinical trials often occur cross-border, involving sites in several jurisdictions. However, experience shows that it can be challenging to understand and manage the privacy requirements for cross-border trials, mainly due to differences in local law and interpretation relating to the interplay between privacy laws and clinical trials.

Who is responsible for GDPR compliance?

Every situation is different, roles can overlap, or parties can wear different hats depending on the personal data they are processing in their activities. Where there are multiple parties in other countries, this adds to the complexity.

Roles and titles such as sponsor, investigator, data controller and data processor must be clearly defined in the context of your clinical trial, as there will be overlap, and it is best to seek advice for your individual circumstances. It is also essential to bear in mind that the legal responsibilities of the parties under GDPR are determined by their actual activities in a specific situation rather than solely by a title.

GDPR compliance is not just the responsibility of management or the Data Protection Officer, and it’s not something to do once and tick off — it is an ongoing process and everyone’s responsibility.

What do your employees know about the GDPR?

Employees’ daily activities regarding data collection, storage, and processing can affect compliance. Considering that around 80% of data breaches involve a human element, it’s no wonder that human error is one of an organisation’s most significant data security risks. Thus, everyone in a company, including any international teams, should know their responsibilities under GDPR.

Employees must be able to plan and execute their activities under the GDPR and be aware of the consequences of non-compliance. They should also be educated and trained on the best data protection practice, advised of upcoming changes, and supported to develop new skills to improve compliance.

The effectiveness of a new policy in the workplace rests mainly on how well you communicate it to employees, and the quality of the training they receive. Data privacy training ensures that your employees understand the general principles of the GDPR and how to apply them in practice, why the Regulation matters and who they can turn to for GDPR compliance support. They need to feel empowered to take responsibility and confident in reporting issues internally should they arise.

GDPR compliance in clinical trials applies to more than patient data.

Under GDPR, personal data is any information that can be used to identify or potentially identify a person, including names, email addresses, IP addresses and other identifiers like cookies or device IDs (or telephone numbers if these are connected to an individual).

Of course, the GDPR seeks to secure the special category data of patients in clinical trials. But GDPR compliance is also about carefully handling the personal data of employees, clients, business partners and everyone else who shares their data with the company.

Thus, as well as preparing a Data Privacy Notice for trial participants, every employee should receive a Data Privacy Notice, which should comprise details as to what personal data will be processed, the duration of processing employees’ personal data, their rights, details of persons to be contacted regarding data-related issues etc. The employees should be assured that their personal data will be processed only under ‘legitimate interest’, which needs to be strictly adhered to since processing personal data without lawful grounds is a breach of the GDPR.

It is also crucial to note that the GDPR applies the moment you start collecting and processing personal data from anyone in the EU/EEA, as early as your initial conversations with Contract Research Organisations (CRO) or putting agreements and contracts in place with investigator sites – potentially six months or more before you start collecting patient personal data.

The Data Protection Officer (DPO) is well-publicised, but what is the role of the EU and UK Data Protection Representative (DPR)?

Each trial sponsor must name a data protection officer (DPO). This individual completes a data protection impact assessment (DPIA), monitors GDPR compliance and cooperates with supervisory authorities.

Trial sponsors who do not have a physical presence in the EU/EEA or UK must also name a data protection representative (DPR) who is resident there. This individual or organisation serves as the first point of contact for trial participants and supervisory authorities. Both the DPO and DPR roles can be outsourced.

The primary tasks of an EU/UK representative are:

  • responding to any inquiries Data Protection Authorities (DPA) or data subjects may have about data processing.
  • receiving legal documents for the company as an authorised agent and maintaining records of processing activities
  • making data processing records accessible to supervising authorities when requested
  • being subject to enforcement proceedings in case of a company’s non-compliance with the Regulation.

Can a DPO fulfil the role of an EU or UK Representative?

Although nothing in the legislation prohibits an individual from fulfilling both roles, the European Data Protection Board said that “The EDPB does not consider the function of representative in the Union as compatible with the role of an external data protection officer” (Guidelines 3/2018 on the territorial scope of the GDPR). A DPO playing both roles may feel conflicted about receiving concerns from data subjects, as their principal obligation is to facilitate the organisation’s compliance with the GDPR. Therefore, most companies should keep the two roles separate, avoiding potential conflicts of interest and compliance issues that may arise.

What steps can you take to ensure compliance with every aspect of the GDPR?

Are you a clinical, regulatory affairs, or quality and compliance professional who understands your country’s data privacy and protection regulations but needs help applying the GDPR to your EEA or UK data-processing activities?

Pharma Data Protection is a team of specialists in clinical trials and data protection passionate about providing international pharmaceutical research with the tools, support, and guidance needed to protect data subjects’ privacy and ensure GDPR compliance.

Thanks to our combined expertise, we pragmatically apply the GDPR legislation and support you in making the necessary changes to policies, documentation, and processes.

Like the GDPR, which promotes a risk-based, rather than a prescriptive, approach to protecting privacy, our Pharma Data Protection consultants aims to deliver GDPR compliance solutions that work for you, tailored to your pharma working practices.

Talk to us about your current or planned EEA or UK clinical trials