Records and documentation of data processing activities, sharing and retention are mandatory under GDPR. What does this mean for pharmaceutical clinical trials in Europe?

GDPR – Pharmaceutical Clinical Trials

The GDPR focuses on accountability, transparency and governance to minimise the risk of breaches and uphold personal data protection by imposing new responsibilities on organisations. One of these responsibilities linked to the principle of accountability is creating and maintaining written documentation regarding data protection compliance, including a record of processing activities.

Are you a pharma company that has started to implement changes to your data processing procedures but has yet to formalise your practices in your policies?
You may need help determining where to begin regarding mandatory compliance documentation and looking for guidance.

This article provides an overview of your responsibilities under the GDPR, and a brief description of the mandatory documents required to fulfil data protection regulatory obligations.

What does the GDPR say about mandatory documentation?

The General Data Protection Regulation obligates, as per Article 30 of the GDPR, the creation and maintenance of written documentation (including policies, forms and agreements) and an overview of personal data processing procedures. A record of processing activities (RoPA) must include information about data categories, data subjects, the purpose of data processing, GDPR data retention, and who receives the data. It must be up-to-date and available to the supervisory authorities upon request.

It is important to remember here that the obligation to create a record of processing activities is not only imposed on the controller and their representative but also directly on the processor and their representatives, as outlined in Article 30(2) of the GDPR. Unsurprisingly, the obligation for documentation and, therefore, records of processing activities is a focus of supervisory authorities’ inspections.

What are the penalties under GDPR for not maintaining up-to-date documentation?

Suppose a company fails to maintain records (e.g., they do not reflect the current situation of personal data processing activities) and/or cannot provide complete GDPR compliance documentation to authorities. In that case, they can be subject to fines according to Article 83(4)(a) of the GDPR. The possible penalties can be up to €10 million (£8.75 million under the UK GDPR) or 2% of the annual global turnover of the preceding financial year, whichever is greater.

However, it doesn’t stop there.

Mandatory documentation is also part of meeting the GDPR’s accountability principle (demonstrating compliance). Controllers that fail to meet it can face a regulatory fine in the higher tier, the greater of €20 million (£17.5 million under the UK GDPR) or 4% of the annual global turnover of the preceding financial year. The Information Commissioner’s Office (ICO) and EU supervisory authorities also have the power to apply other measures, for example, the termination of clinical trials.

Talk to Pharma Data Protection about how we can help you improve your GDPR mandatory documentation

What mandatory documents are required by the GDPR when conducting clinical trials in Europe?

This list includes the basic and enhanced documents, policies and procedures needed under the GDPR:

• Personal Data Protection and Data Privacy Policy
• GDPR Data Protection/GDPR Data Privacy Officer Training policy
• Personal GDPR Data Retention Policy
• Privacy Notice(s)
• Data Subject Informed Consent Form
• Data Breach Policy and Procedures
• Data Breach Register
• Data Subject Access Procedure
• Data Subject Access Request Form
• Record of Processing Activities
• Vendor List
• Vendor Data Processing Agreements
• Standard Contractual Clauses
Data Protection Impact Assessment GDPR (DPIA)
Technical and Organisational Measures (TOMs)
• Legitimate Interests Assessment (LIA)
International (cross-border) Data Transfer Procedure
• Transfer Impact Assessments (TIA)

Let’s take a closer look at some of these documents.

Personal Data Protection Policy

This core document details how the company will meet its obligations under EU/UK Data Protection Legislation. It is critical to ensure that this document complements other relevant procedures or policies (e.g., IT, Clinical Operations).

Personal Data Retention Policy

Although a company may already have a retention policy for other data types, this policy is a standalone document specific to personal data, including personal data retention, filing, archiving and good document management.

Privacy Notice

A privacy notice must be displayed on any public-facing platform that interacts with user data (e.g., a corporate website) or must be available on request if you do not have a website. The law requires you to inform users about what data you collect and how it’s used, stored and protected.

Pharma Data Protection recommends three privacy notices: clinical trial subjects, healthcare professionals, and partners/consultants/vendors.

You will also need a Register of Privacy Notices – a document that lists all published privacy notices and basic information about each.

Data Breach Policy and Procedures

This set of documents will detail how you manage data breaches (what to do, how and by whom) and what you need to communicate to the supervisory authority and data subjects.
Documents will include:
• A Data Breach Register
• Data Breach Response and Notification Procedure
• Data Breach Notification Form to the Supervisory Authority
• Data Breach Notification Form to Data Subjects

Data Subject Access Request Procedure

Although the GDPR is legislation aimed at data controllers and processors, the data subjects are at the core of the rules, restrictions and requirements mandated by the GDPR. Data subjects have eight key rights under the GDPR:

  1. The Right to Information
  2. The Right of Access
  3. The Right to Rectification
  4. The Right to Erasure
  5. The Right to Restriction of Processing
  6. The Right to Data Portability
  7. The Right to Object
  8. The Right to Avoid Automated Decision-Making
    A Data Subject Access Procedure details these rights and identifies which can be derogated or amended.
    For example, suppose a clinical trial subject’s personal information is pseudonymised (usually via a subject code). Then a controller can’t fulfil the right to data portability as the data subject is unknown.
    The right to erasure is also limited as the controller has a legitimate interest and a legal obligation to process and retain a clinical trial subject’s personal information up to the point at which the subject decides to exercise this right.

Record of Processing Activities (RoPA)

The RoPA is an essential document in two respects. Firstly, it summarises all the processing activities across the controller’s business; secondly, if the controller has no legal establishment in the EU/UK, it is a required document for the Data Protection Representative to review in respect of their liability. The RoPA refers to the Vendor List.

Vendor List

The Vendor List includes all vendors, usually on a clinical trial basis, what processing they perform, and whether a Data Processing Agreement and/or Standard Contractual Clauses are required.

Data Processing Agreement

Virtually every business relies on third parties to process personal data. The GDPR requires data controllers to sign a data processing agreement with any parties acting as data processors. A data processing agreement is a legally binding contract that states the rights and obligations of each party concerning the protection of personal data.

Standard Contractual Clauses

Standard Contractual Clauses are used for data transfers between EU and non-EU countries. They contain the contractual terms and conditions that both the sender and receiver of personal data sign up to so the rights and freedoms of the data subject are considered and upheld.

Data Protection Impact Assessment (DPIA)

A Data Protection Impact Assessment (DPIA) is required when processing high-risk (special category) personal data, e.g., health related. The DPIA will assess initial risk, mitigations, and residual risk.
The GDPR gives little guidance on how a DPIA applies to a pharma company conducting clinical trials. However, we assume clinical trials are essentially one category of processing. In that case, preparing a DPIA that covers all clinical trials and that you can easily update with each additional trial is possible.

Technical and Organisational Measures (TOMs)

As a data controller, you are obliged to protect and assure personal data, per the principle of integrity and confidentiality. Having appropriate technical GDPR and organizational measures (TOMs) in place will help you prevent data breaches and comply with the principle of data protection by design. Your record of processing activities should include a general description of the technical GDPR and organizational measures (TOMs) you are applying, as should any Data Protection Agreements with vendors.

Legitimate Interests Assessment (LIA)

The LIA is primarily a UK‐targeted document but is also helpful to prove the company has considered how legitimate interests apply as a lawful basis for processing.

International (cross-border) Data Transfer Procedures

This procedure sets out how the organisation will meet the requirements of the EU GDPR when transferring personal data to countries or international organisations outside of the EU (or the UK, in the case of UK-GDPR).

Transfer Impact Assessment (TIA) or Transfer Risk Assessment (TRA)

When your company transfers personal data to countries outside the EU/UK, and before using, for example, Standard Contractual Clauses, the organisation must assess the risk of transferring data to a country not covered by the EU or UK adequacy decision (countries considered by the European Commission or the Information Commissioner’s Office in the UK not to have an adequate level of data protection). A TIA (EU) or TRA (UK) is completed for each clinical trial and/or vendor transfer (depending on circumstances) when setting up the clinical trial.

In Conclusion

The need to document regulatory compliance within the pharmaceutical or biotech industries is well known. Your organisation will have policies and processes to ensure you follow best practices.

The difference with the GDPR is that accountability and demonstrating compliance are at the core of implementing or reviewing technical or organisational controls. Implementing procedures is one thing, but you will need supporting documentation to show compliance at an organisational level and for each clinical trial.

Creating, updating or reviewing data protection documentation can be challenging without GDPR knowledge or experience. Handling mandatory documentation can be a minefield, as documents interlink to provide a complete and comprehensive record of the personal data lifecycle within your business.

Our team at Pharma Data Protection are data protection consultants with a keen eye for detail who understand pharma working practices. You can trust us to work with you to ensure that your policies, protocols and procedural documents are fit for purpose while meeting GDPR compliance requirements.

Talk to us about how we can help you improve your GDPR mandatory documentation