Know How to Comply With GDPR in Clinical Trials?

In the realm of clinical trials, protecting participants’ personal data is paramount. The General Data Protection Regulation (GDPR), which came into effect on May 25, 2018, sets out stringent requirements for data protection within the European Union (EU). Compliance with GDPR by clinical trial sponsors is not only a legal necessity but also a cornerstone of ethical research practices. Here’s a detailed guide on what clinical trial sponsors must know and implement to ensure GDPR compliance.

Territorial and material scope of GDPR in clinical trials

The GDPR applies to any organization in the EEA/UK processing personal data and to non-EEA/UK organizations handling data of EEA/UK individuals, impacting clinical trials globally. It governs the processing of personal data, including identifiable and sensitive health data, whether manually or electronically.

In clinical trials, it’s important to distinguish between pseudonymized and anonymized data. Pseudonymized data can be re-identified and falls under GDPR, while anonymized data cannot be re-identified and is not covered by GDPR.

Clinical trial sponsors in the EEA/UK process pseudonymized data (key-coded) from participants and identifiable data from investigators and other stakeholders, making them subject to GDPR.

Understanding GDPR Principles

The first step in a privacy compliance program for clinical trials is understanding the core principles of GDPR. These include:

• Lawfulness, fairness, and transparency
• Purpose limitation
• Data minimization
• Accuracy
• Storage limitation
• Integrity and confidentiality
• Accountability

Sponsors must process personal data legally, fairly, and transparently. Data should be collected only for specific, legitimate purposes, and only necessary data should be gathered. Additionally, it’s crucial to maintain data accuracy, limit storage duration, secure data integrity and confidentiality, and demonstrate accountability.

Appointing a Data Protection Officer (DPO) and a Data Protection Representative (DPR)

Appointing a Data Protection Officer (DPO) is crucial for GDPR compliance, especially for small biopharma companies that may lack privacy expertise. A DPO is typically needed when processing large volumes of sensitive data. Despite arguments that small companies may not handle large data volumes, authorities agree that biopharma companies need a DPO due to their core activities involving long-term health data storage.

Additionally, foreign sponsors conducting clinical trials in the EU or UK must appoint a Data Protection Representative (DPR). The DPR acts as a local contact for regulatory authorities and ensures compliance with local data protection laws. Both roles are essential for maintaining high data protection standards and regulatory compliance in international clinical research.

Establishing a Legal Basis for Data Processing

Identifying the legal basis for processing personal data is essential for GDPR compliance in clinical trials. Common legal bases include informed consent, public interest, and legitimate interests.

• Informed consent: Participants must give explicit, specific, and unambiguous permission to use their data. This consent must be documented, and participants should be informed they can withdraw consent at any time without consequences.
• Public interest: Data processing is allowed if it serves the public interest, ensuring participants’ rights are respected.
• Legitimate interests: Sponsors can process data based on their legitimate interests as long as participants’ rights are not overridden.

The informed consent form will detail the legal basis for data processing. Since requirements vary by country, sponsors must ensure they comply with local regulations.

Respecting Data Subject Rights

Respecting data subject rights is key to GDPR compliance. Participants have the right to access their data, correct inaccuracies, request data deletion, restrict processing, obtain data in a portable format, and object to certain processing activities. Sponsors must have procedures to handle these requests and inform participants of their rights. The Informed Consent Form (ICF) should explain how to exercise these rights, any limitations, and how to complain to a data protection authority if needed. Clinical Trial Agreements should clearly outline each party’s responsibilities to ensure these rights are respected.

Data Protection by Design and by Default

Data protection by design and by default means including data protection in every stage of the trial. This ensures only necessary data is processed. To achieve this, involve the Data Protection Officer (DPO) in conducting GDPR assessments, such as Data Protection Impact Assessment (DPIA), reviewing the trial protocol, Informed Consent Forms (ICFs), and agreements. The DPO should also assess vendors and ensure strong security measures to protect data integrity and confidentiality.

Maintaining Documentation and Record Keeping

Accurate record-keeping is vital for demonstrating GDPR compliance. Sponsors should maintain detailed records of all data processing activities (ROPAs), including a data inventory of the collected and processed data. Compliance records documenting all measures and assessments undertaken to ensure GDPR adherence should be meticulously kept.

Managing Data Transfers

Managing data transfers, especially outside the EU, requires strict adherence to GDPR. When transferring data to countries without equivalent protection laws, sponsors must use safeguards like Standard Contractual Clauses (SCCs) approved by the European Commission. These safeguards should be mentioned in privacy notices, such as Informed Consent Forms (ICFs) for participants and notices for medical staff. By doing so, sponsors can ensure GDPR compliance and protect participants’ data.

Data Breach Notification

Being prepared to respond quickly to data breaches is crucial for GDPR compliance. Sponsors must have systems to detect breaches and notify authorities within 72 hours, if required. If a breach risks participants’ rights, they must be informed promptly. Clinical Trial Agreements and vendor contracts should clearly define each party’s responsibilities and procedures for handling breaches. This ensures everyone is ready to respond effectively.

Training and Awareness

Regular training ensures that all staff understand their data protection responsibilities. Implementing ongoing GDPR training sessions and awareness campaigns about data protection principles and practices helps maintain a culture of compliance within the organization.

Conclusion

GDPR compliance is integral to the successful and ethical conduct of clinical trials. By understanding and implementing these steps, clinical trial sponsors can protect participants’ data, build trust, and avoid legal and financial penalties. Ultimately, GDPR compliance ensures that clinical trials are conducted with the highest standards of data protection and ethical responsibility. This comprehensive approach not only safeguards participants’ privacy but also enhances the credibility and reliability of clinical research.