Clinical Trials and GDPR – Are You Ready?


The European Union (EU) General Data Protection Regulation (GDPR), which recently took effect on May 25, is designed to modernize laws that protect the personal data of individuals. GDPR defines how that information should be handled for every country and industry that processes personal data of people who are in the EU.

Read the Whitepaper: Top Five Reasons You Need IRT Expertise, Not Just Software

The idea behind GDPR, and one of the main points in creating the new regulations, is in response to a growing digital and electronically driven world. When data was on paper it was easier to maintain security because fewer people had access. Now, with so much more digital information publicly available online, there is a higher risk for security breaches.

The GDPR is especially important for the biopharma industry because it puts the needs of clinical trial subjects and outcomes first. We must keep in mind that the data belongs to the natural person. This is at the heart of the GDPR: protection of personal data is considered a fundamental human right. Regardless of whether I give my data to social media or give consent for a clinical trial, the data is still mine. I control my data. You are only allowed to utilize my data to the extent I allow.

For the unprepared, the new regulations on data processors are especially daunting. Whereas the previous regulation placed most accountability on the data controller (typically the sponsor in the case of clinical trials), GDPR holds data processors responsible for compliance with many of the regulations. Data processors may include related technology providers offering services such as Interactive Response Technologies (IRT), Electronic Patient Reported Outcomes (ePRO)/Electronic Clinical Outcome Assessments (eCOA), etc.

Data processors still must act only on the direction of the data controller, but they’re also obliged to comply directly with GDPR. This includes, under Article 28, a requirement that the data processor must inform the data controller if, in its opinion, an instruction infringes the Regulation. Fines for non-compliance and data breaches can be up to 4% of annual turnover, or €20 million. Another important reason to ensure compliance.

Clinical trials involve the processing of sensitive patient data, but our industry has always been highly regulated. In fact, many compliance requirements of the GDPR have been in place since the 1995 law or even earlier. Much of industry’s data collection is based on informed consent, which is a legal basis for collecting study subject data.

Because GDPR obliges organizations in the European Union to work with vendors that comply with its requirements, sponsors need to perform due diligence when they choose a technology provider. It isn’t just patient data on the line, it’s the sponsor’s reputation. If a technology provider can’t be trusted, sponsors aren’t going to use their service.

Long before data protection became a primary discussion topic, our industry trained people that protecting patients always prevails over the interests of science. If you think about a clinical trial and the use of IRT for blinding or double-blinding a study, we’re already protecting the data because it’s pseudonymized, and we don’t have contact with patients directly. Cenduit has always been proactive in ensuring we’re compliant without being asked.

Now the spotlight is on GDPR, but we’re keeping a watch for other pieces of guidance that might be on the horizon. Nearly every country has some sort of data protection. In the US, we’ll observe closely to see if HIPAA and other regulations will change because of GDPR; and lately in Europe there have been court hearings considering whether to invalidate the US Privacy Shield. Cenduit will continue to monitor industry trends to stay ahead of the game.    

Over the past 20 years, issues about privacy and data integrity have continued to result in best practices and standards like GDPR. As the biopharma industry implements GDPR, many people are asking how it will change clinical trials. There’s much to be learned. Because Cenduit’s main system is fully electronic, and our processes and practices have always been in compliance with laws through our stringent approach to governance and quality, we’re ready to help our clients navigate the higher risks. Contact us to learn more.

Posted by Justine Koor, Manager Auditing and Regulatory, Cenduit