Global Compliance

Data Protection Part 2: Ensuring Study Start-Up Compliance With GDPR

At the beginning of a study, there are a number of steps sponsors and CROs must take to ensure compliance with the EU’s General Data Protection Regulation. In this blogpost, we focus on four GDPR articles that are relevant to study start-up.

Article 131

As the data controller, the sponsor must provide a privacy notice to study participants, the principal investigator, and study staff before collecting their personal data. For patients, the privacy notice takes the form of the informed consent form. EU countries may have different interpretations of what is required to be in that ICF, and some may have their own templates. In addition, getting the privacy notice language approved by the appropriate ethics committees can be a lengthy process. Therefore, sponsors should begin developing privacy notices as early as possible to avoid start-up delays.

Article 251

Privacy must be considered in the study design, and the project management plan/clinical management plan may need to be updated to reflect data protection measures that will be put in place to mitigate any identified risks.

Article 271

Under Article 27, a company that has no establishment in the EU must retain a data protection representative based in the EU. This representative ensures that the company meets its compliance obligations and acts as a point of contact for the data protection supervisory authorities, if needed.

To avoid potential conflicts of interest, it is best if the representative is not a data processor. Moreover, sponsors should keep in mind that, in the event that a regulator is not able to pursue a non-EU company directly for privacy breaches, the representative could be liable for any penalties. That can make identifying an appropriate representative a challenge, and a growing number of specialist firms can assist. If the sponsor’s data protection officer is based in the EU, he or she may also act as the sponsor’s data protection representative.

Article 281

To share personal data, two organizations must sign a contract. Where those organizations are a data controller and data processor, the contract must include the language in Article 28 of the GDPR. The roles and responsibilities of each organization must be well-defined and well-understood so that the correct language is included in the contracts between the entities. The contract must specify:

  • The subject matter and duration of processing
  • The nature and purpose of processing
  • The type of personal data
  • The categories of data subjects
  • The obligations and rights of the data controller

The GDPR also requires that these stipulations be included in contracts between data controllers and data processors:

  • Processing must be performed only in accordance with documented instructions from the data controller
  • Persons authorized to process personal data must be committed to confidentiality or be subject to a statutory obligation of confidentiality
  • Data processors must implement requisite security measures
  • Data processors must abide by the requirements for enlisting sub-processors
  • Data processors must assist data controllers in fulfilling the data controllers’ obligation to respond to requests for exercising data subjects’ rights under the GDPR
  • Personal data must be deleted or returned to the data controller after processing services have been completed
  • All information needed to demonstrate the data processor’s compliance with these requirements must be made available to the data controller
  • The data processor must permit and contribute to audits conducted by the data controller

In the context of a clinical trial, the sponsor is the data controller, and both the CRO and the institutions/sites are data processors. If other vendors, such as labs and patient reimbursement service providers, are used, they represent an additional layer of data processors, often referred to informally as sub-processors.

To comply with the GDPR, the controller-to-processor language in Article 28 must be included in contracts between the sponsor and the CRO. For large pharmaceutical companies working with many CROs or for CROs working with a large number of pharmaceutical companies, the task of updating all of the Master Services Agreements can be a major undertaking.

What is often not clear to institutions and principal investigators is their role under the GDPR. This is because the institutions and principal investigators are simultaneously data processors for the purposes of gathering clinical trial data on behalf of the sponsor and data controllers for the purposes of recording the medical care provided to the study participants.

Therefore, it is essential at the onset of a study to ensure that the Clinical Trial Agreement completed for each site contains the required Article 28 language and that the respective roles are understood by the parties. Where sites view themselves as data controllers and reject the notion that they are data processors for the sponsor, it may be possible to enter into a data sharing agreement that closely resembles the controller-to-processor agreement to help mitigate the risk of not having the correct language in place.

The administrative burden that these contractual activities impose upon an organization should not be underestimated. The process is time-consuming and negotiations can be slow, especially where there are misunderstandings about intent and content. Therefore, sponsors are strongly advised to begin addressing these contracts early.

Early Planning for GDPR Compliance

While the GDPR was designed to standardize the protection of personal data across the EU, the regulation includes a number of opening clauses that allow member states to introduce their own legislation in certain areas of data protection. Therefore, sponsors and CROs will need to stay abreast of any national distinctions that develop. These distinctions inevitably mean that sponsors and CROs need to be flexible in their approach toward key documentation.  

As a first step toward achieving and maintaining GDPR compliance, sponsors and CROs should focus on data mapping and auditing contractual relationships and technologies to determine what changes are needed to achieve compliance. Beginning this process early in clinical development can help ensure that study start-up proceeds as smoothly as possible.

In the final blogpost of this series, we will explore key considerations for clinical trial recruitment and discuss the nuances of informed consent and data handling.

Note: This material is provided for informational purposes only and not for the purpose of providing legal advice. If you are unsure whether the GDPR applies to a particular study or scenario, we suggest consulting with legal counsel for guidance.