Understanding Data Mapping and Data Flow

  • Data Mapping: This is the process of identifying, recording, organizing, and structuring the types of personal data collected by an entity. It's a form of introspection to understand the core processes of services or activities, crucial for clinical trials to manage patient and research data effectively.
  • Data Flow: Complements data mapping by visually representing how data is accessed and transferred between entities. It's essential for understanding the lifecycle of data within a clinical trial, including how it's collected, stored, processed, and shared.

Regulatory Guidance on Data Mapping and Flows

The GDPR does not explicitly require entities to undertake data mapping or to illustrate their data flows directly. However, it introduces several indirect mandates that effectively necessitate these actions to ensure compliance. For instance:

  • Article 30 of the GDPR mandates that organizations keep detailed and up-to-date records of their data processing activities. Data maps play a critical role here, enabling organizations to document the processing, storage, and transfer of personal data comprehensively. Such thorough data mapping aids in creating accurate Records of Processing Activities (ROPAs), which are instrumental in demonstrating compliance.
  • The principles of data minimization, accuracy, purpose limitation, and storage limitation highlighted by the GDPR can be effectively addressed through a detailed data mapping exercise. This process ensures that organizations adhere to these core principles by having a clear understanding of the data they handle.
  • For processes that pose a high risk to the rights and freedoms of data subjects, the GDPR mandates the execution of Data Protection Impact Assessments (DPIAs). A well-conducted data mapping exercise is foundational for DPIAs and Privacy Impact Assessments (PIAs), often incorporating data flow diagrams to illustrate the processing involved.
  • Implicitly, the effectiveness of these activities is contingent upon an organization's understanding of data trajectories and access permissions. Thus, data flow mapping becomes an indispensable counterpart to data mapping, providing a comprehensive view of data movement and access within an organization.

Challenges in Clinical Trials

Data mapping is relatively straightforward for organizations handling their internal data. However, for clinical trial sponsors who outsource many of their functions to external parties, the process becomes considerably more complex. The loss of direct control and a diminished understanding of data handling are significant challenges in these cases. This complexity often leads to a lack of clarity regarding who has access to what data and when. Misunderstandings can arise between sponsors and their vendors regarding the scope and nature of data being processed. For instance, there might be confusion about whether a biosimulation company is receiving unredacted data, leading to discrepancies in data handling expectations.

The data flow is complex, often non-linear, and involves multiple bilateral exchanges

Consider a typical scenario in a clinical trial: A US-based sponsor is expanding its trial sites to Austria, Germany, Switzerland, Spain, and the UK. To manage this expansion, the sponsor contracts with a Contract Research Organization (CRO) to centralize the study's database. Due to the study focusing on a specific oncology pathology, the sponsor also engages various specialized vendors for different roles, including data management & analysis, ECG, pharmacokinetics, EDC (Electronic Data Capture), central laboratory, CRO, and safety monitoring.

Each vendor receives data from the clinical sites or other vendors in various formats, which could be either decoded or coded. Some may handle biological samples, others may deal with imaging data, and some may process real-world data. The data flow is complex, often non-linear, and involves multiple bilateral exchanges. For example, a pharmacokinetics vendor might receive data from the CRO, which in turn has received data from the central laboratory. This multifaceted data exchange underscores the intricacies of managing data flow in outsourced clinical trial environments.

Key Considerations for Effective Data Mapping and Data Flow Analysis

In essence, although not directly mandated, data mapping serves as a cornerstone for meeting contractual obligations, conducting thorough DPIAs, and satisfying regulatory authority inquiries

To ensure a thorough data mapping and data flow analysis, several critical aspects need to be addressed:

  • Types of Data Being Processed: It's essential to identify the various kinds of data involved in the process and their respective categories. In clinical trials, this may include a wide range of personal data, from patient pseudonyms and investigator CVs to detailed health data such as biological samples, blood tests, gender information, and medical imagery. Understanding the full spectrum of data and which vendor handles each type is crucial.
  • Data Storage Formats: Determining the formats in which data is stored is another vital step. This could encompass a variety of formats, including hard copies, digital files, databases, and data stored on personal or mobile devices.
  • Data Collection and Transfer Methods: It's important to clarify how data is collected and transferred among parties. In clinical trials, data collection often occurs through Case Report Forms (CRFs) and is then shared with various stakeholders via different methods, such as Secure File Transfer Protocol (SFTP) channels.
  • Geographical and Regulatory Considerations: Identifying the locations involved in the data flow, including where data is stored (e.g., office locations, cloud services, third-party locations) and any specific regulatory requirements that dictate how and where data must be hosted, is essential. An example includes health data hosting obligations in certain jurisdictions, like the Health Data Hosting (HDS) certification in France.
  • Accountability for Data: Establishing who is responsible for the personal data at each stage of its lifecycle is critical. Accountability may shift as data moves through an organization, necessitating a clear data access policy to manage and monitor responsibility effectively.
  • Data Access: Determining who has access to the data is particularly challenging in environments where clinical activities are outsourced. Given the complex and often bilateral nature of data flows in such scenarios, it is imperative to map out data access comprehensively, ensuring that only authorized entities can access sensitive information.

Impact of Data Mapping on Compliance and Regulatory Interactions

Regulatory bodies such as the FDA or EMA sometimes request data mapping documentation during their review of submitted materials

While regulations like the GDPR do not explicitly require the creation of a data mapping document solely for its own sake, such documentation proves invaluable across various facets of compliance programs. Here’s how:

  • During Contractual Agreements: Effective data mapping, as detailed previously, is instrumental in accurately completing the Standard Contractual Clauses (SCCs), especially for data transfers outside the EU. It enables both data controllers and processors to specify the types of data being transferred and the purposes of such processing with precision.
  • For Data Protection Impact Assessments (DPIAs): DPIAs, which are crucial for assessing the impact of data processing activities on data protection in clinical or safety operations, benefit significantly from incorporating data flow analyses. This inclusion, often found in DPIA templates (like those from CNIL), brings clarity to the process, particularly for teams that contribute remotely to risk analysis efforts.
  • Interaction with Regulatory Authorities: Interestingly, regulatory bodies such as the FDA or EMA sometimes request data mapping documentation during their review of submitted materials. This requirement helps these authorities gain a comprehensive view of a clinical trial’s setup, facilitating a better understanding of the trial’s data management practices.

In essence, although not directly mandated, data mapping serves as a cornerstone for meeting contractual obligations, conducting thorough DPIAs, and satisfying regulatory authority inquiries, thereby underscoring its significance in the broader context of data protection and compliance.

Optimal Approach for Data Mapping and Flow Analysis

Creating a comprehensive data mapping and flow document is a detailed and time-consuming task that necessitates a collaborative effort

Creating a comprehensive data mapping and flow document is a detailed and time-consuming task that necessitates a collaborative effort from various teams within an organization, including Quality Assurance, Regulatory Affairs, Operations, Data Management, and Compliance. The recommended strategy involves starting with the identification of investigational sites and tracing the process back to the Contract Research Organization (CRO), ensuring that the previously mentioned six critical questions regarding each instance of data transfer and access are thoroughly addressed. It's crucial to avoid settling for vague or imprecise responses, as inaccuracies can have a domino effect on different aspects of your compliance framework. Utilizing the information gathered from these inquiries, the compliance officer can begin to compile the Record of Processing Activities, construct the data flow diagrams, and, if necessary, initiate the Data Protection Impact Assessment (DPIA) process.

Recommended Tools and Practices for Effective Data Management

Through practical experience, we have pinpointed several tools and methodologies beneficial for this type of work:

  • For Data Flow Visualization: Figma serves as an excellent tool for creating visual representations of data flows.
  • For Data Mapping: The CNIL’s Excel template is a valuable resource for compiling Records of Processing Activities (RoPAs).
  • For Stakeholder Engagement: It's advisable to record meetings conducted via platforms like Teams or Zoom, especially since discussions on these topics tend to be complex and detailed.
  • Regular Review and Update: Implementing a routine, such as a quarterly review, ensures that your data management practices remain current and accurately reflect any changes in personnel, vendors, or sites.
  • Acknowledging Dynamics: Given the ever-evolving nature of projects, with frequent changes in employees, vendors, and operational sites, maintaining an up-to-date representation of these changes is crucial for accurate data management and compliance.

Seamus Larroque

CDPO / CPIM / ISO 27005 Certified


Discover our latest articles

View All Blog Posts
April 23, 2024
No items found.

iliomad is deligthed to have supported the ICM - Institut du Cancer de Montpellier in their CNIL's authorization process

We are delighted to share that the ICM - Institut du Cancer de Montpellier was authorized by the French Data Protection Authority (CNIL) to conduct APAD-ECO study. The CNIL granted authorization to conduct a medico-economic study on the effects of physical activity in women treated for breast cancer on April, 19th. This groundbreaking study involves combining data from two clinical trials with that of the Caisse nationale de l’Assurance Maladie, covering the period from 2009 to 2022. The study aims to assess the long-term impacts of physical activity in patients who have undergone treatment for breast cancer. We are proud to have contributed to this project by providing the ICM - Institut du Cancer de Montpellier with a compliant Data Protection Impact Assessment (DPIA), a crucial step in obtaining CNIL approval.