Since the implementation of the EU General Data Protection Regulation (‘GDPR’) on May 25, 2018, many countries have enacted similar laws to allow for the unhindered flow of personal data. This has caused a ripple effect of GDPR-like laws worldwide, with unique versions making international business more difficult than ever before. This difficulty is particularly felt in the conduct of medical research and clinical trials across regional, national, and international borders.
Clinical trials are often conducted across multiple countries, encompassing various legal territories. Experience indicates that comprehending and meeting data privacy demands for these international clinical trials can be challenging. A significant reason for this complexity stems from varying local, legal interpretations concerning the relationship between privacy laws and clinical trials. Even within the EU, where the GDPR is supposedly uniformly enforced across member states, the interpretation of the Regulation in the context of clinical trials often differs among countries and their respective privacy and health regulatory bodies.
A data controller (sponsor/clinic-institution of the investigator) must implement appropriate technical and organizational measures to ensure and be able to demonstrate that the personal data are processed in accordance with the applicable data protection rules. Therefore, it is imperative that parties to clinical research understand which laws apply, and the role and responsibilities of the parties involved.
Managing data privacy in international clinical trials: addressing jurisdictional specificities and more
Within the realm of clinical trials, organizations have become increasingly mindful of the significance of compliance with data privacy and protection laws across jurisdictions. Despite this harmonization effort, there remain sharp distinctions between regulatory approaches, as they regard both the legal concepts and formalities that personal data protection entails. As a result of such divergence, organizations conducting cross-border clinical trials must tailor their compliance programs to jurisdictional specificities.
In a similar study, it may be necessary to process or to transfer patients’ coded personal data and samples to countries where the laws may not protect personal data to the same extent as others. The study sponsor is responsible for taking all necessary steps to ensure that the level of protection and confidentiality of personal data is locally appropriate for its processing activities.
The evolving regulatory landscape brings one to find out which country’s privacy laws will apply to the project in the early stages of the planning of the trial. Data mapping is by far a critical step; it should include the type of data at stake (identified, de-identified, coded, pseudonymized or anonymized), and whether the obtained data will be deemed as “de-identified” or “anonymized”, according to the nation’s criteria, potentially rendering privacy laws irrelevant. Hence, the need to assess the data jurisdictional reach. If the privacy laws do apply, many standard technical and organizational practices are common in order to achieve compliance with international laws. An additional key issue is whether a local representative or data protection officer must be designated for a particular country, which can entail additional time and expense.
Gone are the days when companies could easily rely on subject consents or de-identifying data in order to address all privacy concerns…
It’s now essential for organizations conducting global clinical trials to meticulously examine the data privacy regulations of every country they aim to involve research subjects in, to preempt potential infractions and severe sanctions. Questions raised: is this the core business of a data controller? Should sponsors spend their own time in this regard?
Even in the case of internal management of the function, it still remains not easy to appoint a Data Protection Officer (‘DPO’), who is 1) skilled enough to be able to navigate between recommendations of various international Data Protection Authorities and its languages, 2) able to deal with other obligations, such as the DPO who must be able to prove his or her professional skills by ensuring a non-conflict of interest, and, 4) capable of respecting the independency of the function. These criteria ineluctably eliminate internal healthcare professionals, medical practice managers, and most internal management positions in large organizations (Administrative and Financial Management, IT Services Management, etc.).
As a conclusion, we are convinced it becomes a downright mission impossible for one person to take on this role on a part-time basis. Externalizing the DPO becomes inevitable for us.
In addition to positively answering the previous challenges raised, the key advantages of outsourcing the DPO role are: cost-effectiveness, flexibility, efficacy and centralization. Organizations can access the deep expertise on a full-time, part-time or project basis, allowing them to manage their budget and timeline more effectively. An external DPO also brings a fresh perspective, and often, industry specific experience. A DPO with core industry knowledge (clinical data migration, cybersecurity, medical devices) will have been exposed to various data protection challenges and best practices that may be useful. This exposure enables the DPO to bring valuable insights and innovative solutions to the organization.
MyData-TRUST: The advantages of a Global Privacy One-Stop-Shop specialized in Life Sciences Industry
Organizations are facing an increasingly complex data protection environment. Many businesses are realizing the importance of having a dedicated DPO to ensure their data protection compliance. However, as shown above, the reality is that not all companies have the resources or expertise to fulfill all the privacy challenges themselves.
With the aim of not leaving our readers without a relevant solution, we came across a young company called MyData-TRUST, where the concept of outsourced Global Privacy One-Stop-Shop can be interesting.
At MyData-TRUST, they count over 100 internal Data Protection Specialists, experienced in the life sciences industry and highly trained in data protection and privacy. This strongly built organization is always on the edge of data protection trends and changes, integrating innovation and artificial intelligence (AI). A company’s privacy needs in regards to the size and type of client, together with full understanding of study protocols fosters good collaboration. MyData-TRUST’s DPOs come from the same industry as yours, and know its challenges.
As sponsors grow, there is a need to ensure that each department processes data in compliance with the different country-related Regulations. From the EEA to the United States, Brazil, China, African countries or India, data protection is a maze. With DPOs and layers specialized in local regulations, a complex landscape becomes much easier for them. At MyData-TRUST, they have a team dedicated to study and learn from new regulations adopted to support their clients. The MyData-Trust teams monitor and study the latest changes in laws, regulations, and industry standards, ensuring that organizations remain compliant with all relevant requirements.
Their DPOs will define a road map before starting an International Data Protection and Privacy project. They will look at every processor, activity and flow of data, their DPOs will also ensure that every patient facing document meets the data privacy requirements of the country where the clinical trial is conducted, or the drug is submitted. From what we understood, their DPOs also enjoy challenges; early access programs, privacy and security set up, AI platform management etc.
With MyData-TRUST, we are solving the issues raised earlier, and also tick boxes related to skills and experience. Moreover, there is no conflict of interest, and independency principle is respected.
In this era of heightened data protection and privacy, strategic partnerships are key to successful global clinical research.