U.S. life sciences companies that conduct trials in Europe must deal with more than language nuances and time-zone differences. They must also comply with the General Data Protection Regulation (GDPR). This bedrock privacy regulation controls the use of all personal data, not just health data, of persons residing in the EU and the UK. And thanks to its extraterritorial scope, it applies to U.S. trial sponsors, even if they don’t have offices in the EU and the UK.
In this article, we’ll discuss what the GDPR is and why it matters to your life sciences company. We’ll also show you how iliomad Health Data can help you maintain GDPR compliance.
A Brief Overview of the GDPR
The EU adopted the GDPR in 2016, replacing the 1995 Data Protection Directive, and it took effect two years later. After Brexit, the UK incorporated it into its own laws.
The GDPR is based on 7 principles:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity and confidentiality
- Accountability
While those principles are consistent across the EU and the UK, how they are implemented between (and even within) countries is not. For example, Portugal extends GDPR protections to data from deceased people, while France does not. And countries vary on which of 6 lawful bases for collecting data is preeminent.
The GDPR draws a distinction between data controllers and data processors. Trial sponsors are considered data controllers, a designation that brings with it extended responsibilities. CROs, meanwhile, are typically considered data processors. But they aren’t alone; any vendor that handles and transmits data—even a file-sharing service—is considered a data processor and must abide by the GDPR. And it doesn’t matter whether the data is de-identified.
Each trial sponsor must name a data protection officer (DPO). This individual completes a data protection impact assessment (DPIA), monitors GDPR compliance and cooperates with supervisory authorities like France’s Commission Nationale de l’Informatique et des Libertés and the UK’s Information Commissioner’s Office. Trial sponsors that don’t have a physical presence in the EU or the UK must also name a data protection representative (DPR) who is resident there. This individual or organization serves as the first point of contact for trial participants and supervisory authorities. Both the DPO and DPR roles are often outsourced to companies like iliomad Health Data.
Failure to comply with the GDPR can result in hefty fines—up to €20 million or 4% of worldwide annual revenue. It can also delay your ability to transfer and use data from a clinical trial, potentially slowing down a drug launch. That’s why it’s so important to focus on compliance from the moment you begin planning for a trial to the moment the trial ends and beyond.
How U.S. Trial Sponsors Can Become and Remain Compliant
It’s important to start planning for compliance long before you enroll your first trial participant. In fact, a lead time of 6 to 12 months makes sense given all the work that’s involved.
The next key step is to designate your DPO and DPR. The first will oversee your efforts to become and remain compliant. The second must be in place before the trial starts.
The DPO plays a key role in compliance, but so do others within the organization. Like workplace safety, compliance is everyone’s job, which means everyone needs to be trained.
With the DPO in place and the staff trained, you should conduct a thorough risk analysis. This is perhaps the heaviest lift because you’ll need to look not just at your own company’s practices but also at those of your CRO and other third-party vendors. The resulting DPIA—which is mandatory in order to conduct a trial in some countries—will serve as a living roadmap as you move forward. It should clearly document where data comes from, where it goes, who touches it, where it’s stored and what controls are in place.
Finally, it’s important to revisit GDPR compliance anytime there are changes. If people join the company during the course of the trial, you’ll need to conduct additional trainings. If you bring a new vendor on board, you’ll need to review their compliance practices.
How iliomad Health Data Can Help
GDPR compliance is easy enough to understand in theory, but it can be challenging in practice. (For example, how can you legally collect health data to screen potential trial participants before they’ve signed informed consent forms?) Moreover, science, not compliance, is probably what you signed up to do.
This is where iliomad Health Data can help. We provide tailor-made compliance services to trial sponsors, letting them focus on innovative science without risking GDPR violations. As an EU-based team with a unique set of regulatory expertise bridging the Atlantic, we can:
- Provide step-by-step guidance as you build your compliance system
- Serve in the role of DPO and DPR
- Assess and qualify vendors
- Train staff
- Conduct gap analysis with other relevant privacy regulations
- Offer ongoing consultation as issues arise
By doing what we do best, we allow you to do what you do best—and to do it without concerns about GDPR compliance.