Most clinical trials companies have gone through detailed exercises to put the data processing into proper framework: carrying inventories, creating the records of personal data processing activities, going through data protection impact assessments, appointing data protection officers, performing training sessions for staff, etc. Companies have been anxious that this could be a big change in clinical trials, as data no longer belongs to those processing it, personal data could be pulled at any time, and any noncompliance will be severely punished.
This article will take one more look at the regulation, revisit more talked about terms, explore potential changes for data management, and see if any rules are in place for electronic data capture (EDC) systems per the new regulation.
About the New Regulation
The EU General Data Protection Regulation (GDPR) 2016/679 became effective in all EU countries (plus Iceland, Liechtenstein, and Norway) as of May 25 2018, repealing the Data Protection Directive (effective since 1995). The main goal of the regulation is to strengthen the protection of an individual’s personal data, meaning a person should know what data is being collected about them, for what purpose, and where it is being processed (eg, in case it is transferred outside of the EU). Per the GDPR, any processing of personal data in the context of the activities of a controller or a processor in the EU should be carried out in accordance with this regulation, regardless if the processing takes place in the EU or not. As a maximum punishment for failure to comply, the fines can be as high as EUR €20,000,000 or up to 4% of the total worldwide annual turnover of the preceding financial year. Any data breach must be reported within 72 hours upon becoming aware of it, unless it is demonstrably unlikely to cause risks to the rights and freedoms of data subjects (1).
However, what does it mean for data management, whose main tasks are creating, maintaining, and processing large amounts of data from trial participants for sponsors, often outside the EU?
Getting Familiar With the Terms
Table 1 (see the end of the article) shows, and puts into context, some of the most used applicable terms in the GDPR.
Data Management Changes
The industry has been moving towards a patient-centric approach for years now. The newly effective GDPR is strongly stressing this, particularly as clinical trials are only possible due to patients allowing their data to be processed. Great care must be taken to educate the patient on what will happen during the study with their data and what rights they have. The main GDPR principles do differ in some ways to current best practices in clinical trials, though some parallels are apparent:
- Lawfulness, fairness, and transparency: Data collected during clinical trials is literally requesting very personal data from volunteers and using it when analysing if the new proposed treatment is working as intended. Therefore, it only makes sense that the data owner’s rights are protected. The GDPR stresses the need to have valid grounds for data collection, that no laws are breached, and that data processing is as agreed and clearly communicated to the participant. These are commonly respected rules in clinical trials
- Purpose limitation: As a general rule in clinical research, one is expected to collect only the data required for data analysis as foreseen in writing in study protocol. The clinical trial participant is then made aware of what data is collected and for what reasons. In case anything changes in data collection or processing, the data owner must consent to the changes, or the data controller/processor must have legitimate reasons for collecting and processing the additional data. This is also the case per GDPR, and, therefore, no changes
- Data minimisation: This principle repeats the ideas also covered in the previous point – data collected and processed must be adequate, relevant, and limited to what is needed, which presents no change GRAF
- Accuracy: The GDPR requires personal data to be correct, and, if needed, data corrections must be done. In clinical trials, data analysis should only be done on correct and clean data to ensure results are reliable. Through several steps of data cleaning (eg, source data verification, data management, and safety review), safeguards have been put in place to achieve this, and, therefore, no changes
- Storage limitation: When a new study starts, the expectations on data storage must be clear (eg, who is responsible for the data archiving, how long should the data be kept, etc). This is also plainly stated in the new regulation as an expectation
- Integrity and confidentiality (security): One principle is ensuring only applicable personnel have access to the data in a controlled manner and safeguards are in place in case systems fail. This is also a principle as per the Good Clinical Practice (GCP)
Organisation and personnel working with personal data must also take accountability and be able to prove that needed measures have been taken to ensure compliance. If the set agreement for data processing is not followed, the party deviating is held accountable (1).
Possible Impact on Data Management
When the GDPR main principles are common practice in clinical trials, what about the part which gives data subjects more rights over their data? The following will fall under this category: based on Article 89 of the GDPR, when processing personal data for scientific research purposes, the EU or Member State law may provide for derogations from right of access, right to rectification, right to restriction of processing, and right to object if exercising these rights may seriously impair the achievement of the purpose of processing.
Influence on ongoing studies
The GDPR is in effect and must be followed. Per clinicaltrials.gov, over 15,000 trials are currently recruiting in Europe, the majority starting prior to May 2018 (3). How can trials ensure compliance? First of all, having the appropriate data processing agreements in place sets the standards for personal data processing in accordance with the GDPR. For data transfers outside the EU, implementing additional safeguards may be necessary to ensure the same level of protection. Data controllers and processors are advised to carry out a data protection impact assessment to evaluate the risks to the rights and freedoms of clinical trial patients connected to data processing and measures used to address those risks. In regard to the informed consent forms (ICFs) signed before May 25, depending on the content of data protection sections, passing additional information to patients on data processing activities may be necessary but this has to be evaluated by the sponsor.
EDC System Compliance
Despite being a detailed document, GDPR does not set overly clear expectations to systems which have not yet been implemented in currently used industry-compliant EDC systems (eg, pseudonymisation, access control, audit trail, data backups). However, ‘privacy by design’ principles are to be followed.
The first thoughts of ‘privacy by design’ were expressed in the 1970s and, in the 1990s, were incorporated into the RL 95/46/EC data protection directive. According to Recital 46 in this directive, technical and organisational measures must be already taken at the time of planning a processing system to protect data safety. The difference is that, now, this is a legally binding obligation and not just a good practice. Behind this is the thought that data protection in data processing procedures is best adhered to when it is already integrated in the technology when created. When selecting precautions, one can also use other standards, such as International Organization for Standardization standards. Recognised certification can serve as an indicator to authorities that the persons responsible have complied with the statutory requirements of ‘privacy by design’ (4).
EDC tools are constructed to carefully consider industry rules and regulations. To also show compliance to GDPR, additional recognised certification or other valid documentation might be required to save as proof.
Clinical trials have been one of the most regulated industries for years, so it should not be a big surprise that GDPR is not posing many significant changes. As the regulation is still new, discussions on what might be needed to show compliance or on practical implications of the rights may follow. From the first glance, the previous regulations have prepared the industry well, and, besides more clear documentation (eg, roles and responsibilities of controller and processor, how to manage special requests, additional documentation on systems’ compliance), no major process changes are foreseen for data management.