The impact of GDPR on clinical trials
Good clinical practice, regulatory awareness and robust standard operating procedures have long been mandatory checkpoints for companies conducting clinical trials. The introduction of the EU's General Data Protection Regulation (GDPR) in 2018 added new requirements to clinical trial processes, and these may be challenging for biotech companies due to a lack of sector-specific GDPR guidelines. In this newsletter, our specialist lawyers from the life sciences practice group provide an overview of some of the key GDPR issues that companies conducting clinical trials must consider.
By Jeppe Songe-Møller
The advance of technologies enabling the collection and use of data, and the increasing use of the internet and electronic records, together mean that sensitive data may be processed in new and potentially more intrusive ways. Furthermore, the use of "big data" (the combination of very large and diverse data sets) is becoming increasingly important. When assessing the efficacy of a new drug or a new treatment method, researchers may request the right to use information from patient records, or to take samples of biological material like blood with the intention of storing and processing the results of subsequent analyses. To ensure that clinical trials are GDPR compliant, biotech companies must be aware of the ensuing data protection issues, and have proper procedures and documentation in place.
The emphasis of the GDPR is on transparency, security and accountability. It aims to strengthen the rights of individuals to understand and control the use of their data, and sets out obligations on companies using such data. Under the GDPR, both health and genetic data are considered "special categories" of personal data, the use of which requires explicit consent from trial participants.
As the applicability of the GDPR is triggered by the processing of personal data of EU data subjects, it governs both clinical trial activities in EU/EEA locations, and associated activities by both local and foreign (i.e. non EU/EEA) entities acting as “data controller” or “data processor”. GDPR requirements will apply in addition to those governing the conduct of clinical trials and adopted by the European Union, and any other national legislation concerning clinical trials.
Transfer of data outside the EU/EEA
To support the completion of a clinical trial, the company may outsource certain services such as the provision of lab facilities, equipment or specific competences relevant to the research to a Clinical Research Organization (CRO). The GDPR requires that all data regarding European citizens that is transferred outside the EU/EEA should be protected in a manner that is consistent with the protection provided to personal data under GDPR. As a result, before transferring personal data to a CRO outside the EU/EEA, the company must (amongst other steps) conduct a risk assessment to confirm whether the data can be protected to the necessary standard. In addition, a data processing agreement according to GDPR requirements needs to be in place with the CRO.
Data Protection Officer (DPO)
In order to process sensitive personal data, the company must appoint a DPO based within the EU/EEA to monitor compliance with the GDPR. The DPO’s role is to inform the company and its employees of their obligations under GDPR, to provide advice where requested as regards risk assessments, to cooperate with the national data protection authority and to act as the contact point for any requests relating to data processing, both within the company and from trial participants as “data subjects”.
The company must be able to demonstrate its compliance with GDPR obligations in connection with data from clinical trials, and must document the actions it has taken regarding privacy of trial participants. Data collected should be mapped and categorized, recipients of data should be recorded and protective measures should be listed. Data protection policies, procedures for responding to subject access requests, and instructions for how to respond to data security incidents are recommended and may be requested by data protection authorities in the process of compliance audits.
Pseudonymisation and anonymisation
The company should consider pseudonymisation or anonymisation of sensitive personal data collected from trial participant. Pseudonymisation of data sets may be a good idea from a compliance perspective. However, the company should take into account that pseudonymised data may still be attributable to an identifiable individual trial participant by the use of other information about the person, and will therefore still be considered personal data. In addition, a data processor agreement will need to be in place when any pseudonymised data are shared with third parties.
As pseudonymisation and anonymisation are different concepts under GDPR, the terms should be distinguished in trial protocols, as only the anonymisation of data will ensure that the data are no longer considered to be personal data.
Secondary use of data
The company may want to use data collected from trial participants for new commercial purposes. GDPR expressly provides that personal data shall be collected for specified, explicit and legitimate purposes and not processed in a manner incompatible with the specified purposes. To ascertain whether the purpose of any proposed further processing is compatible with the initial purpose, the company should take into account, amongst other factors: (i) any link between the initial purposes and the purpose of the proposed further processing; (ii) the trial participant's reasonable expectations; (iii) the consequences of such further processing for the trial participants; and (iv) appropriate safeguards in both the original and further processing operations.
Security measures and data breaches
In order to process sensitive personal data, the company should implement technical and organizational measures to ensure a level of security appropriate to the risk of personal data breaches. These measures could include access control, pseudomization and encryption of personal data.
Regardless of whether adequate security measures were implemented, the company is required to notify the local data protection authority of any personal data security breach, unless the breach is unlikely to represent a risk to the data subjects’ rights and freedoms. This notification must take place without undue delay and, where feasible, not later than 72 hours after the company becomes aware of the breach.