GDPR Compliance for Clinical Trials

A foundational first step towards GDPR compliance is to develop your organization’s records of personal data processing activities. Article 30 of the GDPR requires study sponsors to maintain accurate records of such activities. VeraSafe will assist your organization in developing these records and establish internal processes to facilitate their ongoing maintenance.

VeraSafe can review and revise your current privacy notice or create a new one specific to your clinical trial.

Informed Consent Forms (IFCs) are often used as a vehicle to provide privacy notices to patients, as required by Articles 13 and 14 of the GDPR. VeraSafe can review your ICF templates and revise them as needed, to ensure compliance. Our experienced team is sensitive to the requirement that ICFs be concise and written in plain language to ensure that patients can understand them. 

ICFs can be tailored on a country-by-country basis, according to member state guidance and local practice. This may be necessary where, for example, EU member states have different preferences relating to the legal bases for processing personal data.

We also assist with reviewing and suggesting responses to IRB/REB queries on ICFs.

Clinical trials in the EU inevitably involve processing personal health data, which must be archived for an especially long period of time in a clinical trial master file. For these reasons, a Data Protection Impact Assessment (DPIA) is typically required under the GDPR as part of a sponsor’s preparation for a clinical trial. In conducting your DPIA, VeraSafe will leverage its well-developed methodology and specialized templates specific to clinical trials.

The GDPR requires a written contract to be signed between your organization and any vendors that have the technical or physical ability to access clinical trial patient data or the personal data of site staff. Such vendors typically include contract research organizations (CROs), labs, and cloud software providers, among others. Compliance with this obligation is most frequently accomplished by signing a data processing addendum (DPA). These DPAs must include a number of specific provisions to mandate that the technical and organizational measures by which the vendors secure personal data meet the high standards of the GDPR. VeraSafe will assist your organization in reviewing these vendor contracts and, if necessary, directly support or lead the effort to negotiate and sign a DPA with each of your organization’s relevant vendors.

Much in the same way that your organization must implement DPAs with its vendors, a sponsor must ensure that clinical sites also are subject to a DPA. Data processing addenda can be attached to clinical trial agreements and the terms contained within these DPAs might need to be country-specific, depending on whether a clinical site is considered a processor or controller in that jurisdiction. VeraSafe will assist your organization in drafting these DPAs and, if necessary, directly support or lead the effort to negotiate and sign a DPA with each clinical site.

If your clinical trial involves collaboration partners that receive study data (even key-coded data) outside of the European Economic Area, a specialized data transfer agreement may need to be implemented between your organization and the collaboration partner(s). VeraSafe will draft this data transfer agreement and, if necessary, assist your organization in negotiating and signing the agreement with your organization’s collaboration partner(s).

In practice, a number of patient privacy rights established under the GDPR are effectively limited by countervailing obligations under the EU Clinical Trial Regulation. The sponsor must nevertheless ensure that patients have a means to exercise these rights. To comply with this requirement, but avoid violating the confidentiality requirements of Good Clinical Practice guidelines, VeraSafe can serve as your organization’s point of contact for patients who wish to exercise their privacy rights under the GDPR.

A clinical trial sponsor’s internal policies and procedures typically require some level of revision to help ensure that business operations are aligned to the GDPR. To meet this challenge, VeraSafe has painstakingly developed a library of data protection-related standard operating procedure templates that can be easily customized to fit your particular circumstances. VeraSafe can also embed the requisite GDPR operational requirements into your existing business process documentation.

Article 32 of the GDPR establishes a broad requirement for strong data security in pursuit of overall privacy protection. If requested, VeraSafe can review your organization’s IT security policies and procedures. Our methodology merges the GDPR’s risk-based approach with the U.S. National Institute of Standards and Technology’s Cybersecurity Framework for Critical Infrastructure (NIST CSF). This data protection standard provides the basis of a high-assurance assessment of compliance with Article 32.

VeraSafe assists clinical trial sponsors in designing and implementing study protocols that meet stringent regulatory requirements, including compliance with the EU Clinical Trials Regulation (CTR). 

Clinical trial sponsors are typically subject to the GDPR’s requirement to appoint a Data Protection Officer (DPO). Appointing VeraSafe as your organization’s DPO is an exceptionally easy and cost-effective approach, which ensures your compliance with this important obligation.

As your DPO, the entire VeraSafe team of privacy experts, in-house attorneys, IT security experts, and project managers will be available as your data protection subject matter experts. Going beyond the compliance activities described above, our team will help monitor your organization’s compliance with the GDPR and proactively identify compliance strategies, opportunities, and risks.

Most organizations that are regulated by the GDPR but have no physical presence in the EU are required to appoint an official representative located in the EU for the purpose of responding to inquiries from European regulatory agencies and data subjects.

By appointing VeraSafe as your organization’s official EU data protection representative, you can rest assured that your organization complies with this often-overlooked requirement.