The highly regulated nature of the pharmaceutical industry means that organisations within this sector are no strangers to the requirement to abide by the various strict rules and regulations throughout the lifecycle of drug discovery, testing and production. However, when thinking about privacy and data protection regulations, clinical trials are certainly where it is most pertinent. Due to the volume of sensitive personal data that needs to be processed to demonstrate the safety and efficacy of a drug, this creates the requirement for significant data protection considerations. For clinical trials involving individuals located within the EU or UK, the General Data Protection Regulation, widely considered to be the ‘gold standard’ for safeguarding individuals’ personal data, will be at the centre of such considerations. And, due to the GDPR’s applicability being determined by the location of the individuals whose personal data is being processed and not the location of the entities doing the processing, trial sponsors located anywhere in the world are subject to the requirements set out within it.
In this article we set out four of the most important data protection factors that life sciences organisations must take into account when sponsoring a clinical trial that involves EU or UK residents:
• Basic data protection requirements
• Data transfers
• Local jurisdictional requirements
• Appointing a DPO and DPR
It is worth noting at the outset that following Brexit, the UK has enacted the GDPR into its own domestic legislation – the UK GDPR. At present, the EU and UK GDPRs are in practice the same, so unless stated otherwise, both will be referred to as the GDPR.
Basic Requirements
Data Controller
In all but very rare cases, trial Sponsors are deemed to be the ‘Data Controller’ under the GDPR for the personal data collected as part of a clinical trial. A Data Controller is the entity that determines the ‘means and purposes for processing’ personal data. Given the Sponsor is generally the organisation that writes the protocol (the purpose) as well as contracts with the various organisations that will run the trial and collect the data (the means), and even though the Sponsor may only have access to coded (pseudonymised) personal data, they are still considered the Controller under the GDPR. This means that as the Controller, Sponsors must comply with the more onerous accountability responsibilities required by the GDPR. This includes being responsible for identifying the appropriate lawful basis for the processing, implementing appropriate agreements to legitimise cross boarder data transfers, informing individuals about the intended processing, dealing with individuals’ rights requests and ensuring the organisations you appoint as your Data Processors comply with their own obligations and apply ‘appropriate technical and organisations measures’ to protect the data being processed.