Clinical Trial Sponsors - Do you provide GDPR training to your employees?
EU/EEA/UK Clinical Trial Sponsors are more aware of GDPR obligations and provide regular privacy training to its employees to increase the compliance status of the Organization, but it is common to see US pharmaceuticals conducting clinical trials in the EU/EEA/UK, without proper awareness of the necessity of providing adequate privacy training to it’s employees, including to the clinical management team.
Often, when it comes to GDPR awareness and compliance, the majority of non-EU/EEA/UK Trial Sponsors rely on the CRO to ensure compliance with applicable data protection laws and regulations; completely disregarding its direct obligations under the GDPR.
To clarify, by conducting clinical trials in the EU/EEA/UK, the GDPR applies directly to such Non-EU/EEA/UK pharmaceuticals and requires the organization to be trained in privacy compliance and develop policies and SOP’s to guide employees on how to apply GDPR in their daily activities (art. 24 GDPR).
In addition, art. 25 GDPR requires organizations to implement the principle of privacy by design and by default, ensuring that any processing activity is understood and assessed to the extent it respects data subject’s privacy rights and freedoms.
But how clinical trial sponsors can comply with such requirements if they do not implement an adequate awareness and privacy training?
1. NON-EU/EEA/UK SPONSORS AND THE EXTRA-TERRITORIAL APPLICATION OF THE GDPR
In order to understand why GDPR training is relevant to Non-EU/EEA/UK sponsors of clinical trials, we first need to understand why GDPR applies to them on the first instance.
In this regard, when Non-EU/EEA/UK organization conducts clinical trials in the EU/EEA/UK it is directly subject to the GDPR by means of art. 3/2; and is required to apply the regulation in all processing activities in the scope of the conduct of the clinical trial.
According to the GDPR, the trial sponsor is the controller and responsible for the processing of personal data in the scope of the research study and hence multiple obligations are imposed directly on the sponsor to ensure data protection and confidentiality of patients’ records.
2. WHAT OBLIGATIONS ARE IMPOSED BY THE GDPR IN THE SCOPE OF CLINICAL TRIALS?
The list is vast and it goes from having adequate policies and SOP’s to provide privacy training to employee, to implement security measures to protect personal data and perform an assessment on providers to ensure they also protect data in equivalent terms.
Also depending on the type of processing activities (in this case in the scope of clinical trials), specific obligations are imposed, such as to appoint a Data Protection Officer (DPO) as per art. 37 GDPR, to designate a Data Protection Representative (DPR) as per art. 27 GDPR, to perform a record of processing activities (ROPA) or a data protection impact assessment (DPIA), between others.
But how would you know any of that if your organization is not trained in privacy compliance?
3. AWARENESS AND TRAINING
Awareness and training programs are important to ensure that privacy is included in every decision about the processing of personal data. It is only when you have a good understanding of the applicability of a certain law or regulation that you integrate compliance in the discussions. Let me give you an example, when you consider the performance of remote SDR & SDV in your clinical trial, you think about regulatory requirements and expect the CRO to be compliant with those, but what about privacy controls? Did you know that remote SDR & SDV require privacy controls such as to provide privacy training to the monitors performing the activities? The majority of the CRO’s don’t even know that and so the remote monitoring activities are performed without taking into account the privacy concerns raised by the EMA (European Medicine Agency) or country regulators.
In addition, how do you ensure your organizational (and your service providers, processing data on your behalf) comply with data minimization principle if you do not have adequate SOP’s on the collection of research participants personal data and what are the prohibited identifiers?
General privacy training
Clinical trial sponsors, that only process EU/EEA/UK personal data in the scope of clinical trials must understand the basics about GDPR compliance and so a general privacy training to be provided to the Organization must be provided; this is the first step to understand, for example, why a privacy breach policy or SOP is required or an SOP on how to respect data subject’s rights.
Clinical Trials privacy training
Despite the general privacy training, clinical trial procedures are specific and require compliance with GDPR and applicable country laws and regulations, in this regard, the general privacy training is not enough for organizations to understand the impact of privacy rules in clinical trial’s conduct and so specific privacy trainings must be provided to the clinical management team, as well as to different business units responsible for specific processing activities in the scope of clinical trials, such as for feasibility team on the requirements to collect investigator’s data and what should be the adequate lawful basis for processing, to project management on the processing of patient identifiers and how to address the processing of prohibited subject identifiers, to regulatory teams on the obligations and privacy requirements regarding the clinical trial protocol and ICF, etc.
4. CONCLUSION
Awarness programs and privacy training are the first step to ensure privacy compliance by organizations and the first authorities will check in case of an investigation for GDPR violations.
It is imposed by the GDPR as a direct obligation and indirectly by the accountability principle, as it’s a way to demonstrate the organization is interested and has invested in adequate privacy training.
The idea that we can only comply with what we know is intrinsic to the requirement to provide privacy training to organizations, but the principle that not knowing is not an adequate justification to avoid fines due to GDPR violations, gives you an idea of how important is to ensure privacy awareness at organizational level and in the scope of clinical trial activities.
Feel free to reach out if you want to learn more, RD Privacy provides tailored training to address company’s needs to fulfil GDPR compliance requirements.
