The GDPR (EU 2016/679) becomes effective on 25th May, 2018 and replaces the existing data protection framework under the EU Data Protection Directive. This raises important questions for clinical trials, especially in light of the increased reliance on clinical trial technologies and use of the internet and electronic records to streamline study conduct. The use of "big data” is becoming increasingly important as sponsors and CROs move towards paperless and risk-based monitoring strategies. All of these factors pose new challenges for data security and privacy in clinical trials and careful forward planning is required to ensure future trial compliance.
Because clinical trials involve the processing of sensitive personal data, sponsors will need to carry out a data privacy impact assessment. This is likely going to need to be done both for trials commenced after 25th May, 2018 and for trials that are ongoing with data being processed at that date. This assessment must set out:
- A description of the processing operations and the purposes of processing
- An assessment of the necessity and proportionality of the processing
- An assessment of the risks to the rights and freedoms of clinical trial subjects
- The measures used to address those risks
Controller and processor organizations running clinical trials (e.g., sponsors and CROs) will need to appoint a data protection officer, who will have responsibility for advising their organization about GDPR obligations, monitoring GDPR compliance, and acting as a point of contact for regulators. All organizations involved with clinical trials should maintain documentary evidence of any consents obtained and the steps taken to comply with the GDPR. These documents will need to be filed to the trial master file, along with other trial-related information, to show compliance with applicable laws.
Notably, GDPR Article 26 sets out the responsibilities and liabilities of parties as "joint controllers", so it is important that both the sponsor and CRO understand the remit of their obligations and the potential for overlap in their respective roles, since the line between a sponsor’s responsibilities and those of the CRO can often be blurred. Also, any other vendors involved in processing data across the entire trial hold some level of responsibility and accountability.
GDPR non-compliance penalties are substantial. National regulators will have the power to impose fines of up to €20 million or 4% of annual global turnover, whichever is higher. It is not yet clear how liability or fines in the case of a data breach would be divided up between data controllers and data processors. However, it is clear that all organizations should consider their processes in light of the GDPR, and understand the remit of their compliance responsibilities, particularly for trials that have already started.
Below are the 7 key GDPR principles your organization needs to align to ahead of the GDPR effective date:
- Lawful, fair, and transparent processing – When data is collected, it must be clear why it’s being collected and what it will be used for. Organizations must be willing to provide details surrounding the data processing when requested. For example, if a data subject asks who the data protection officer is at that organization or what data the organization holds about them, that information needs to be available.
- Purpose limitation – You need to have a lawful and legitimate purpose for processing the information. Consider all the organizations who make you fill out a form with 20 fields, when all they need is your basic information. In short, organizations shouldn’t collect any piece of data that doesn’t have a specific purpose, and those who do can be out of compliance.
- Data minimization – The data you are capturing must be adequate, relevant, and limited. In this day and age, businesses collect and compile every piece of data possible on you for various reasons, such as understanding customer buying behaviors and patterns or re-marketing based on intelligent analytics. Based on this principle, organizations must be sure that they are only storing the minimum amount of data required for their purpose.
- Accuracy and up-to-date processing – Data controllers must make sure information remains accurate, valid, and fit for purpose. You must have a process and policies in place to address how you will maintain the data you process and store.
- Limitation of storage in the form that permits identification – To ensure compliance, organizations must have control over the storage and movement of data. This includes implementing and enforcing data retention policies and not allowing data to be stored in multiple places. Having multiple, illegitimate copies of the same data in multiple locations is a compliance nightmare.
- Confidentiality and security – You must protect the integrity and privacy of data by making sure it’s secure (which extends to IT systems, paper records and physical security). As a collector and processor of data, you are solely responsible for implementing the appropriate security measures proportionate to the rights and risk of the individual data subjects. Negligence is not an excuse under GDPR, so organizations must spend an adequate amount of resources protecting the data from those who are negligent or malicious.
- Accountability and liability – You must be able to demonstrate to governing bodies that you have taken the necessary steps comparable to the risk their data subjects face. To ensure compliance, be sure that every step within the GDPR strategy is auditable and can be compiled as evidence quickly and efficiently. For example, GDPR requires you to be able to respond to requests from data subject as to what data is being held about them and to promptly remove that data if requested. You need to have a process in place to manage such a request, as well as a full audit trail to prove that you took the proper actions.
In our next blog, we'll discuss the steps Longboat have taken to ensure that we meet all of the requirements mandated by the GDPR.