Clinical Trials and the GDPR: 10 Steps, Part 2

As we stated in last week’s Part 1, May and October 2018 will be important months for companies involved in Clinical Trials. The new Clinical Trials Regulation (CTR) EU No 536/2014 becomes fully operational in October 2018 when the EMA introduces the new EU portal and EU database. Conveniently and identically to the Clinical Trials legislation that was adopted in 2014 as a Regulation, the new Data Protection Legislation in Europe, known as the GDPR (General Data Protection Regulation), will also take the form of a Regulation. However, unlike the Clinical Trials Regulation, there will not be the same transitional period, the GDPR will be enforced from 25 May 2018, which means an organisation can be fined from this date for non compliance with the new provisions.

Here are some further considerations that a Sponsor should consider if they are shortly about to begin a Clinical Trial that is likely to extend beyond May 2018 when the GDPR becomes enforced.

1. Evidence of Compliance: Instead of the obligation to register with the ODPC, there will be a new requirement, from May 2018 onwards, to maintain documented evidence of compliance by both the Data Controller and the Data Processor. The new concept of self-managing and accountability means that businesses will no longer have to register or notify supervisory authorities of their processing activities. Instead, Data Controllers will have to implement appropriate technical and organisational measures to demonstrate that their data processing is performed in accordance with the GDPR. Data Controllers will be obliged to maintain records in electronic format of all data processing activities.

The GDPR helpfully provides the headers which should be included in each processing log, whether they are being maintained by the Data Controller or the Data Processor.

In addition, organisations may choose to maintain a record of other significant data management incidents in the day-to-day activities of the organisation, such as the completion of Privacy Impact Assessments (PIA’s), Data Breaches and the incidence of Subject Access Requests. You may be able to tag this aspect on to your existing log of 3rd parties and state in this log whether a DPA (Data Processing Agreement) is required and in place.

The requirement that logs must be in electronic format will mean change for organisations that still use hand-written logs. For your electronic logs to be credible and reliable ‘evidence of compliance’ they would, ideally, have an audit trail. Since Excel spreadsheets do not have an audit trail there is a risk, for example, that an entry could accidentally be deleted without the Data Controller’s knowledge. Your logs should, ideally, be programmed to prompt the user to select which Lawful Processing Condition they are using and whether or not the activity is high risk or not. The logs should be programmed to drive compliance with the GDPR and flag any high-risk activities before they are carried out, such as the transfer of data abroad without the necessary documents being in place. Activities with a high-risk rating should be triggering the user to do a PIA.

2. Right to be Forgotten: Previously, patients could have requested deletion of their data if their data was not being processed compliantly. Now, under the GDPR, patients have a broader right to have their data erased without undue delay in certain circumstances. Consider, how will you inform patients of this right, how quickly could this operation be performed and how would you verify with all parties right through to the Investigator that this action has been completed. How would it impact your Clinical Trial if negative media coverage triggered a number of patients to withdraw their consent. To view this section of the GDPR, click http://www.privacy-regulation.eu/en/17.htm.
   
3. DPO Role: In mirror to having an individual responsible for Quality and an individual responsible for Health and Safety, so too will certain companies be required to appoint an individual responsible for Data Protection. According to the GDPR, DPOs must be appointed if your main activities involve ‘large scale processing of sensitive data’. More than likely, therefore, given this criterion, the Sponsor of the clinical trial will be obliged to appoint a DPO. If you are using third-party CROs who are also doing large scale processing of sensitive data on your behalf, they too will meet the criteria and will also need to appoint a DPO.

Group companies can appoint a single DPO, provided that the DPO “is easily accessible from each establishment”. The DPO must have “expert knowledge of data protection law” (Article 37(5) & (6)). They should also be adequately trained. It is essential that the professional duties of the employee are compatible with the duties of the DPO and do not lead to a conflict of interest. Specifically required under the GDPR, the DPO:

Reports to the highest management level of your organisation – i.e. to the board level.
Operates independently and is not dismissed or penalised for performing their task.
Must be provided with adequate resources to enable them to meet their GDPR obligations.
Must be appropriately experienced and knowledgeable of Data Protection Legislation, the level of which will be commensurate with the level of risk in the organisation. With Clinical Trials, there is a large body of sensitive personal data that is shared between parties so, in our opinion, it is essential that the DPO for a Sponsor has strong knowledge of both the GDPR and of Risk Management methodologies.
Ultimately, it is the Sponsor and not the DPO who remains accountable for the compliance of the data protection practices in the organisation.

4. Risk in everything you do: Data Protection legislation has caught up on Finance, Pharma and Health and Safety regarding Risk Management principles from the Design stage right through the lifecycle.

You may already have a robust risk management system in place that can be easily adopted to include your data protection risks. We believe that the risk management principles outlined in ICH Q9 Quality Risk Management are transferable to data protection. We foresee two key challenges arising for Sponsors:

1. How far should risk management extend into the supply chain / 3rd parties, and
2. Assessment and management of high-risk data processing activities by means of a Privacy Impact Assessment (PIA).

Article 35 calls out the minimum requirements for a PIA, including “An assessment of the necessity and proportionality of the processing operations in relation to the purposes” and “the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned”. Importantly, where the PIA indicates that the risks identified in relation to the processing of personal data cannot be fully mitigated, Data Controllers will be required to consult the ODPC before engaging in the process.

5. IT Data Security: If you are a large pharmaceutical company, then, more than likely your IT security is of the highest level. You may even be ISO 27001 compliant. But does this automatically align you with the requirements of the GDPR? Not necessarily and the guidance we are finding is urging companies to perform a gap analysis between the GDPR and ISO 27001. For starters, the Breach Notification requirements are different as the GDPR calls out for notification within 72 hours of becoming aware of a breach. Furthermore, supplier relationships must be sealed with a written and signed formal agreement that contains mandatory clauses not listed in 27001.

Although Data Security plays a significant role in the GDPR, IT security only accounts for a fraction of the GDPR, roughly 1/16th! Specifically, and relevant for Clinical Trails, is the transfer and the encryption of personal data, the ability to restore availability and access to personal data in the event of an incident.

6. Processing Children’s data: Article 8 of the GDPR introduces specific provisions for the processing of children’s data by limiting their ability to consent to data processing without signed parental approval. Sponsors are required to make ‘reasonable effort’ to verify that the parent or guardian has provided appropriate consent. The European Commission is leaving it up to individual member states to define the maximum age of a child but must be minimum 13 years and maximum 16 years. This provision places some restriction where you are running your clinical trial on children in this age bracket in a number of different countries, how are you going to manage this? Will this additional requirement influence the population that you will sample from?

The Commissioner has released a document “The GDPR and You” that gives a high-level introduction to the main concepts and steps required to be taken before May 2018. To view this document, click here.

Since necessity drives invention, Sytorus have developed Data Processing logs within PrivacyEngine that have an audit trail, prompt the user through their decision-making process and calculate a risk rating. Sytorus also have a team of specialist data protection consultants who are equipped to perform PIAs in your organisation. To learn more about this service, click here.