The European General Data Protection Regulation(GDPR) brings considerable changes to the activity of Biotechs Medtechs by placing the security of personal data at the center of compliance. In the context of clinical trials, sponsors and subcontractors must play a common game to achieve an exemplary level of traceability. A question now arises for the companies concerned in the health and biotechnology sector: how to master this environment and ensure that service providers comply with the GDPR?

A multiplicity of players at the service of clinical trials

From a regulatory point of view, the sponsor planning and conducting clinical trials has a duty to monitor all trial-related tasks and functions performed on its behalf, as it is responsible for the compliance of the clinical trial. Most biotechnology companies rely almost entirely on CROs (ContractResearch Organizations). They interact in all phases of the study from preclinical, through the conduct of clinical trials to marketing and pharmacovigilance.In an ecosystem where outsourcing of clinical trial activities is a common phenomenon, a dependency of compliance is established between the different links in the outsourcing chain.

In this context, the monitoring of subcontractors must be global and exhaustive. It concerns all types of actors, such as health data hosts, providers specialized in certain analyses (Central Lab), clinical providers, system providers (ePRO, IWRS), and the data flows between these actors. As for the investigator sites, they must guarantee the production of scientific medical data under the best conditions of quality and security to attest to the protection of the rights, dignity and well-being of the persons concerned as well as the scientific validity, reliability, and robustness of the clinical data.

Problem: in the context of clinical trials, the complexity of compliance arises from the multiplicity of actors and their interactions. The difficulty of establishing secure data flows is compounded even when sensitive datais transferred outside the EU.

As it is imperative to identify from the outset the elements that are essential to the quality of the planned clinical trial, the utmost attention must be paid to the selection of the “suppliers” of services.

Faced with this fragmentation, the biotech company finds itself open to the four winds: it must ensure that only authorized persons have access to the data, i.e., the data flows from the sites to the various service providers. It must also ensure that the selected service providers have put in place adequate security measures. Quantifying the risk is therefore essential to ensure control over the data.

The legal framework needed to define the sponsor-subcontractor relationship

Article 28 of the GDPR provides for a series of mandatory provisions for the establishment of a specific contract between the parties, framing the relationship between a controller and one or more processors.

These contracts are a useful tool for supervising subcontracting in accordance with the requirements of the GDPR and provide a guarantee that the controller or the subcontractor has implemented technical and organizational measures to ensure a sufficient level of security for the data transfer.

This contract takes a particular form if one of the actors is located outside the European Union (EU) and is not subject to an adequacy decision by the European Commission. In this case, the Standard Contractual Clauses (SCCs) adopted by the European Commission should be used.


50% of contracts with subcontractors are not up-to-date with data transfer regulations. 


Defining the sponsor-subcontractor relationship: what operational framework?

Conducting an impact assessment makes it possible to ensure that service providers comply with the mandatory provisions mentioned above, by auditing the service provider and carrying out a concrete verification of the effectiveness of data protection. This analysis aims to guarantee compliance with the principle of Privacy by design and by default, which the sponsor is required to observe...

This risk analysis is part of a more global approach known as “ThirdParty Risk Management”. These are essential steps in the context of Biotechs Medtechs conducting clinical trials and concerns several items such as:

-       Access to data via a HTPPS protocol (secure online access)

-       The user authentication mode: password, MSA, Token, SSO…

-       The data encryption mode: 128 Advanced Encryption Standard (AES), 256 (AES) at flight at rest...

-       The compartmentalization of the promoter’s data with the other data processed by the service provider

-       Data backups and their frequency.

90% of the information related to certifications and security documents is not available on the subcontractors’ website.
95% of the subcontractors use an outsourced cloud solution: AWS, Azure etc. As a result, the sponsor’s data is dependent on actors that are sometimes unknown to them.
On average, it takes 8 to 10 weeks to get feedback from the service providers on the technical measures implemented.


Simplifying the compliance of your service providers for better performance:iliomad’s expertise

Compliance is not a choice. The GDPR requires that it be demonstrated at all stages and for each of the actors, via the principles of accountability.Failure to comply with these obligations can have serious financial, commercial and even reputational consequences. A lack of appropriate management and monitoring can compromise the security and integrity of the data processed and thus jeopardize the results of the clinical trial.  

As a specialist in the healthcare sector, iliomad assists biotechs in carrying out clinical trials at all stages of their compliance, according to a ThirdParty Risk Management approach adapted to each subcontractor, depending on its role in the clinical trial. We intervene both during the contractualization and the risk analysis phases. We assess the organizational, legal, and technical compliance of the providers involved. This expertise that we offer is essential for the mapping of exchanges between the different actors, to mitigate the risks of non-compliance. It is essential to protect the clinical trial from elements that would impact the quality and value of the data collected.

Seamus Larroque

CDPO / CPIM / ISO 27005 Certified


Discover our latest articles

View All Blog Posts
June 25, 2024
No items found.

UK's NHS says hackers have published data stolen in ransomware attack

The UK's National Health Service (NHS) has confirmed that data stolen in a ransomware attack on Synnovis, a medical diagnostics service, has been published online, and the extent of the breach and its impact on patients is under investigation.

April 29, 2024

FTC Completes Updates to Health Breach Notification Rule for Health Apps

The Federal Trade Commission announced it has finalized changes to the Health Breach Notification Rule (HBNR) that will strengthen and modernize the rule by clarifying its applicability to health apps and other similar technologies and expanding the information that covered entities must provide to consumers when notifying them of a breach of their health data.