How does GDPR affect clinical trials?
The EDPS recently gave some clear guidance (July 2019) that a DPIA is needed when 2 or more of the 9 criteria are ticked (all clinical trials will tick 2 criteria):
- Criteria 4: Sensitive data or data of a highly personal nature
- Criteria 5: Data processed on a large scale
- Criteria 5: the permanence of data processing
So, it is clear that as part of your clinical trial, you will also need to conduct a DPIA.
Sherry Reynolds - Sr. Director, Clinical Operations at Karuna Therapeutics
"Philip did a terrific job of guiding us through the GDPR compliance process as we prepared to launch our study in EU, including drafting the DPIA and helping us secure local data privacy representation. I would highly recommend Philip Nathan and Nathan Trust."
Does GDPR apply to US clinical trials?
If the Data subjects, Controller, or any processor are based in the EU, then yes - the GDPR does apply.
Who is responsible for completing a DPIA?
The sponsor is responsible for ensuring that the DPIA is completed. They are considered the Data Controller.
The sponsor should designate this role to a data privacy expert, preferably one that has experience in conducting DPIAs for clinical trials.
Who is consulted as part of the DPIA?
All joint controllers and processors. This will include the Investigational Site/CRO, Cooperating CRO, Principal Investigator, and Co-Investigator.
What Documentation is required?
The privacy expert will need access to the following reference documents:
- Master Service Agreement
- Data Processing Addendum
- Clinical Study Protocol
- Processor Sub-Processor Agreement
- Subject Information Leaflet (SIL)
- Informed Consent Form (ICF)
- Case Report Form (CRF)
- Study Site Binder/Investigator Site File
What steps are involved in completing the DPIA?
We have devised a methodology based on recommendations from the ICO in the UK and DPC in Ireland and EDBP.
The steps are as follows:
1. Identify the need for the DPIA
Introduce the clinical trial and give an overview are the primary and secondary objectives. It is also worth referencing the guidance from Article 29 WP on when a DPIA is needed.
2. Describe data processing. This should also include a Data Flow Diagram.
A detailed outline and description of:
- How the data is collected
- How the data is used
- How the data is stored
- How the data is deleted
- Source of the data
- Data Sharing and transfers
- Types of Processing
The data flow chart is a key document here. This is a graphical representation of where and how the data is collected.
3. Describe the scope of the processing.
- Nature of the data
- Any special category data
- Volume of data
- Frequency of data processing
- How long will it be retained
- Number of data subjects
- Location of data subjects
4. Describe the context of the processing.
- Nature of relationship with data subjects
- Any children or vulnerable groups
- It’s the processing novel in any way
- Any current issues that should be factored in
5. Describe the purposes of the processing.
- What do you want to achieve
- Intended effect on the data subjects
6. Consider how to consult with relevant stakeholders.
- When and how you will seek stakeholders views
- Do you plan to consult infosec experts
7. Describe compliance and proportionality measures.
- Lawful basis for processing
- Data quality and minimization
- Info given to data subjects
- Measures to ensure processors comply
- Safeguarding international transfer
8. Describe the source of risk and nature of the potential impact on individuals
These should be graded as follows:
|Likelihood of harm||Severity of Harm||Overall Risk|
Quite often the DPIA will highlight areas that need to be remedied. This is the purpose of the DPIA. In some cases, the risk might be down to the Data Processing Agreements. Controller v Controller or data transfers. In other cases, it might the nature of the processing itself.
As clinical trials are highly regulated there tends to be good systems in place for ensuring the privacy of the data. However, some of the agreements between the sponsor and the CROs might have discrepancies in them. Especially related to international data transfers.
9. Identify additional measures you could take to reduce or eliminate the risks identified.
These are the actions taken as an outcome of a DPIA. Not all the risks identified by a DPIA can be reduced or eliminated during the process of completing the document.
It might be necessary to update the DPIA after some of the risks have been reduced/eliminated.
10. Sign off and record outcomes
A DPIA is reflective of a point in time but it is also kept under review. It is signed off by the:
If you need to complete a DPIA for your clinical trial. Get in contact with us below: