The European Union’s data privacy and security law, General Data Protection Regulation (GDPR), imposes obligations on organizations that target or collect data related to citizens in the EU. The regulation, put into effect May 25, 2018, is quite extensive but lacking in detailed guidance, making GDPR compliance challenging.
 
Data privacy and cybersecurity concerns are at the forefront of clinical trials, with sponsors and patients often unsure how to comply with new regulations concerning AI and digital health. Laura Gatavs, Head of Legal Department for Rho, discusses considerations for when and where GDPR applies, basics of GDPR compliance, and takeaways for clinical trial sponsors. 
 
Contract Pharma: How do American companies fit into GDPR?
 
Laura Gatavs: Registered U.S. companies that work outside of Europe do not need to understand GDPR, as U.S. laws do not require such protections. Californian companies are the only outlier as the state has its own privacy legislation called the California Consumer Privacy Act (CCPA). The only time a U.S. company would need to follow GDPR is when conducting a trial in the European Union (EU), as it involves staff and/or patients who are in the EU (meaning any identified or identifiable natural persons, regardless of whether they are citizens or residents of the EU).  As a start, they will meet with a GDPR representative, who will serve as the point of contact throughout operations to ensure compliance.
 
Contract Pharma: What are the basics of GDPR compliance for clinical teams?
 
Laura Gatavs: There are three main responsibilities of clinical teams to ensure GDPR compliance: recognize personal data, recognize a data breach, and follow the data breach reporting process. Usually, these matters should be documented within contract research organizations (CROs) and sponsor quality assurance systems, as well as the informed consent form (ICF), so teams must be vigilant and continuously update their processes. The basic principle is that a patient’s personal data should never leave the clinical site, and access to this information should be restricted to only a need-to-know basis.
 
Contract Pharma: Any there any other considerations for when and where GDPR applies?
 
Laura Gatavs: In general, when personal data of a EU-born citizen is being processed, whether that be inside or outside of the EU, GDPR still applies. There may be added requirements to follow once data is exported outside the EU as well. 
 
Contract Pharma: What steps do U.S. sponsors need to follow when conducting a clinical study in Europe?
 
Laura Gatavs: First, the clinical team must confirm a GDPR representative that will be the point of contact and serve as a contact point for all requests coming from European authorities or individuals. Next, teams should ensure consent to process EU personal data for EU site staff and patients. Organizations involved in the trial will also need to ensure that their processes are aligned with GDPR requirements – for example, having specific standard operating procedures (SOPs) in place. A Data Protection Officer (DPO) must then be appointed along with having an ICF that is in line with local requirements where the trial is being conducted. Lastly, clinical trial agreements (CTAs) with technical and organizational measures (TOMs) must be filled out as an annex next to self-controlled case series (SCCs). 
 
Contract Pharma: What are some best practices to ensure GDPR compliance when conducting trials for sponsors?
 
Laura Gatavs: Ensure that all steps outlined above are observed and fulfilled. Not to mention, there are many vendors who have experience with GDPR in the U.S. and can help ensure compliance with GDPR for non-European sponsors. Create a clinical trial team that knows the ins and outs of GDPR for the best chance of success. 
 
Contract Pharma: What rights do patients have during trials when it comes to GDPR compliance?
 
Laura Gatavs: Patients’ rights are usually well depicted in the ICF because it is drafted in line with GDPR and respective local country requirements. However, patients are always their own best advocates. Rules to follow are to know the entities involved in the processing of the patient’s personal data and know who controls the patient’s personal data (principal investigator/hospital). The patient’s age is another important consideration. Minor patients normally have higher levels of protection than the basic level stipulated in GDPR, especially in Austria and Germany. 
 
Contract Pharma: How does GDPR protect patients from data and privacy leaks during trials?
 
Laura Gatavs: GDPR legislation requires sufficient TOMs to be in place for the parties involved in personal data processing and ensures that a sponsor has a DPO. It is a safeguard that guarantees the internal processes are in place and staff are trained so data and privacy leaks are less common.