How does GDPR Affect Clinical Trials?

How GDPR impacts the clinical trials industry?

The increasing use of the internet, electronic records, and the advancement of clinical trial technologies enabling the collection and use of data, has no doubt played a big part in creation of the GDPR. Big data is becoming increasingly important in clinical research, which also poses new challenges for data security and privacy.

Clinical trial data is considered a “special” data category whereby processing is necessary for scientific or research purposes. The data subject gives their explicit consent for the collection of these categories of data. When a volunteer, patient, or subject signs the informed consent it will clearly state what data is being collected and why. This special data category negates the subject’s right to erasure, or portability which makes sense as clinical data cannot be removed from the dataset without an audit trail as well as that changing the statistical trial outcome.  Subjects can only leave a trial to prevent additional data collection.

The GDPR aims to strengthen the rights of individuals to be better informed about how their data is to be used and sets out clearer responsibilities and obligations on healthcare professionals and companies using such data. Transparency, security, and the accountability of Data Controllers is paramount. Clinical trial providers must identify the data that is being processed, where it is transferred to, who processes the data, what it used for, any risks and processes, and ensure all employees are trained.

Many of the responsibilities and obligations defined by GDPR are not new for companies in the Clinical Research sector, including that of consent. Within GDPR, the conditions for consent have been strengthened-most notable is that any request for consent must be given in a clear, intelligible, and easily accessible form, with the purpose for data processing attached to that consent. Consent must be distinguishable from other matters and use plain language. It must be as easy to withdraw consent as it is to give it. The clinical trial world already lives and breathes by informed consent. Going forward, however, clinical trial organizations must ensure that any informed consent document clearly states the intended logistics of any data collected.

How GDPR affects clinical trial providers

For clinical trial providers, the new regulations not only cover those participating in clinical trials, but also employees, customers, and subcontractors. A clinical trial provider is a processer from a customer perspective but also a controller of data in terms of personnel, sales, and sub-contractors. As a consequence, clinical trial companies have obligations to make sure that rules are in place and followed.

For clinical trial operators, data impact assessments will be crucial, for both electronic and hard copy data. Comparable to risk assessments for a data stream, it should cover what the data is used for, how it is managed, and what action is needed. There is also a defined role within the GDPR called the Data Protection Officer-a named person within the organization, registered with the data protection authorities in specific territories. This individual acts as the interface between organizations and the company and would be involved if there are any data breaches.

Another crucial part of the GDPR for clinical trials is the concept of pseudonymization and anonymization. The GDPR defines pseudonymization as “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information.” Therefore, any pseudonymized data that could still be attributed to a trial participant using other information will be considered personal data. The terms should be distinguished in trial protocols, as only the anonymization of data will ensure that the data is no longer considered to be personal data.