GDPR applied to Clinical Trials
Impacts of the General Data Protection Regulation on clinical trials
The General Data Protection Regulation, also known as the GDPR, has since its inception (May 25th, 2018) affected a number of companies in the way they handle and process personal data.Paradoxically, this is especially true for companies operating in the life sciences sector. One could assume and infer that because life sciences companies operate in a such a regulated sector, data privacy should be a given and at the very least be considered an “easy” task when it comes to complying with those specific regulations, especially the GDPR. Instead, we have seen health actors such as biotechs and medtechs struggle to understand the real impact of the GDPR on their clinical operations and thereby not tackling the data privacy problem head-on.Clinical trials offer a unique paradigm for the application of the GDPR. Although already heavily regulated by the clinical trial directive and the Good Clinical Practices (GCP) the GDPR has been shown to bring major impacts on sponsors in three specific and distinctive areas that are: (i) data governance and the ability for sponsors to control personal data, (ii) the processing of personal data and the ability for sponsors to choose the right medium to collect such data and finally and more surprisingly with regards to (iii) cybersecurity and the ability for health companies to address the dangers of securely processing sensitive data.
Data governance or the ability to control personal data within a clinical trial
Data governance is one of the consequences of the emphasis the GDPR has put on the accountability of data controllers (the person or company that decides the purposes of the collection and processing of personal data as well the means for carrying them out). Along with the empowerment of data subjects (in a clinical trial those are patients and any other person that might see their personal information processed for the good of the clinical trial, such as a physician or CRA for example), data governance is the cornerstone of the GDPR as it makes the sponsor responsible for any personal and sensitive data being mishandled.
The idea around data governance is, however, not entirely new. Indeed, other regulatory frameworks have in the past mentioned the obligation for sponsors to remain in control of the personal data they might handle. This is the case, for example, in the clinical trial Directive 2001/20/EC1, which states that a clinical trial may “only be undertaken if the rights of the subject are (…) safeguarded” (article 3), as well as in the upcoming clinical trial regulation EU 536/ 20142 underlining that “All clinical trial information should be recorded, processed, handled (…)”. Nonetheless, the GDPR has strengthened the accountability that sponsors must now endorse regarding personal data and consequently the measures they have to put into action. This is known as “Privacy by Design and by Default” under the GDPR. Sponsors are hereby required to implement specific measures before any clinical trial is conducted. Those measures include:
- Maintaining up-to-date records of personal data being processed during the clinical trial. This includes the type of data collected and processed (Genomic or cardiovascular data for example), the purpose of said processing and the period of retention or security measures that have been implemented to protect personal data (article 30 of the GDPR).
- Conducting a risk analysis or “Data Protection Impact Assessment” (DPIA) before any clinical trial. This means that a DPIA must be conducted for each clinical trial (a clinical trial being likely to result in high risks to the rights and freedoms of patients) allowing for analysis of the legal basis of the processing, the nature of data being collected and the technical measures implemented to protect personal data (article 35).
- Framing and anticipating cross-border personal data transfers from the clinical site servers up to the sponsor’s servers. This measure is particularly sensitive for non-European sponsors established in countries whose local protection regulation is not adequate to the GDPR standards (e.g USA since Schrems II and the end of the Privacy Shield)3. Those measures encompass the implementation of Binding Corporate Rules (BCR) or Standard Contractual Clause (SCC) and particularly impact companies relying on cloud-based services (articles 44 to 50 of the GDPR).
- Data Breach Management systems that allow companies to assess and swiftly address data requests from patients (even though they are very rare today) or data breaches (much more frequent (articles 15 & 33 of the GDPR).
This new framework should theoretically impact moderate sponsors, as those measures are aligned with the prerequisites set by either the clinical directive or GCP (Section 64). However, some medical companies, especially biotechs, struggle to implement such measures as they require a deep dive within the depths of data flow, internal processes and technical IT measures.
Processing of personal data or the ability to collect personal data without risking the clinical trial
The second impact the GDPR has had within the context of clinical trials pertains to the way sponsors collect personal data.
The collection of personal data is already a heavily regulated topic, from the way patients are enrolled and data is collected with ICF-PIL (Inform Consent Form – Patient information Leaflet) to the randomisation process. The GDPR has however clearly distinguished the collection of “scientific” data from the collection of personal data. This semantic shift implies that along with the consent to participate in a clinical trial, the sponsor must also collect the patient’s consent in order to process their personal data.
As a preliminary remark, a basic principle stemming from article 9(1) of the GDPR states that the processing of special categories of data, also called sensitive data, is prohibited. It is only by way of exception that the processing of sensitive data such as health data is allowed, and those exceptions are guided by the either the manner or the purpose of collection.
Intuitively, consent, one of those exceptions (article 9 (2) a.) would be the go-to solution for sponsors to collect personal data from patients, consent being already used for enrolling patients in clinical trials??. However, consent under the GDPR creates a major hurdle for clinical trials. Separating the two types of consent (participating in a clinical trial and consent for the processing of personal data) may lead to an ambiguous situation where a sponsor could gather consent from a patient to participate in a clinical trial and at the same time that patient may refuse to allow the processing of their personal data, thereby preventing any use of said data. Worse still, the patient may consent to the processing of personal data, then withdraw their consent, putting the clinical trial’s results in jeopardy.
Fortunately, this risk is manageable as ICFs may rely on other GDPR legal bases to process health data. One of the more appropriate ways to do this would be to collect and process personal data from patients through the “legitimate interest” basis (article 6 1.(f)), where processing is necessary for the purposes of the legitimate interests pursued by the controller. This means that the sponsor will have the ability to process personal data without the consent of patients and avoid any subsequent withdrawal of consent. Sponsors would nevertheless need to prove that the processing serves their legitimate interest, which can be quite easy in the context of a clinical trial. Aligning the ICF with the GDPR and local European regulations is therefore paramount for the sponsor.
Cybersecurity or the ability to protect personal data within the sponsor’s IT structure
One of the major impacts the GDPR may have had on sponsors remains relatively unheard of and pertains to cybersecurity. This impact is indirect – by ricochet – as the GDPR does not directly address it and it covers cybersecurity issues.
Through the prerequisites of data governance, the GDPR, especially with the “privacy by default” principle, demands that sponsors evaluate the technical measures implemented to protect personal data. This has revealed that many sponsors do not sufficiently take cybersecurity into account as a major concern in their clinical development. This will, in turn, affect not only personal data but many other areas.
The rise in the yield of health data due to new technologies (AI or dematerialized clinical trials for example) associated with the increased value of health data (health data is considered to be 50 times more valuable on the black market than financial data5 because health data is immutable) has shed a new and dangerous light on clinical development and companies operating in the life sciences sector. While specific data is lacking, the risk of cyberattacks has roughly tripled in the sector in 2020 alone. The US Cybersecurity and Infrastructure Security Agency (CSIA) and the UK’s National Cybersecurity Centre (NCSC) warned that organisations that were working on Covid were being increasingly targeted by cyber-attacks6. These attacks did not only affect big pharmaceutical companies but also small companies, such as biotechs and medtechs. Such companies are particularly sensitive to cyber-attacks because many of them rely on internet connected lab devices to complete experiments, which can be vulnerable to hacks due to their lack of protection7.The massive switch to distance work due to the pandemic has also allowed hackers to hit such structures more easily.
Consequences of such hacks can be high: from a GDPR perspective they result in breaches that need to be assessed and managed within a short period of time (72 hours from the moment the sponsor has been made aware of the event), with vast financial consequences if the leak contains sensitive data, as MSD has recently experienced8. But the consequences go above and beyond just personal data. Cyber hacks may impact biotechs’ IP, as the recent example of Enarabio showed, as well as the whole clinical development (impaired results) and even future capital raising.
All in all, the GDPR has proven to be a suitable doorway to tackle this new cyber risk, as well as an effective manner to mitigate the consequences of hacks. It comes to show that even if the GDPR may seem pretty harmful, it has many known and unknown consequences that sponsors must keep in mind before conducting clinical trials in Europe.