CRO responsibilities on GDPR compliance – what Sponsors should know

Can a CRO act as Data Protection Officer (DPO) or as Data Protection Representative (DPR) for a clinical trial Sponsor? Should a Sponsor request the CRO to provide privacy advice? Is the CRO responsible to negotiate privacy clauses and agreements on behalf of a trial Sponsor? These are the most frequent asked questions, by clinical trial Sponsors, to which I have to answer with a sound…NO.

But in order to understand why a CRO cannot act as DPO or DPR, nor can it be responsible for privacy compliance of the Sponsor, it’s important first to clarify the privacy roles of each party in the scope of research studies.

In this regard, it’s well accepted in our industry that the Sponsor of a clinical trial is the Controller of personal data processed in the scope of the research study, and the CRO is a processor, acting on behalf of the Sponsor and according to the written instructions provided by the Sponsor regarding personal data processing activities.

On another hand, it’s general agreed and aligned with EDPB Guidelines on the territorial scope of the GDPR, that the CRO cannot act as Sponsor’s DPO nor DPR due to the conflict of interests that would result in having a service provider; which must comply with instructions provided by the Controller; representing and advising the Controller on how to comply and provide instructions regarding the compliance with appropriate privacy laws.

With this in mind, it’s also relevant to mention that the fact that some clinical trial obligations are outsourced to CROs, this does not mean that all obligations and responsibilities are delegated; this is not particularly truth for privacy responsibilities in the scope of clinical trials, as the GDPR is very clear when imposing direct obligations to Controllers and to Processors.

The EDPB Guidelines on the concept of Controller and Processor clarify that:

“it is not necessary that the controller actually has access to the data that is being processed. Someone who outsources a processing activity and in doing so, has a determinative influence on the purpose and (essential) means of the processing (e.g. by adjusting parameters of a service in such a way that it influences whose personal data shall be processed), is to be regarded as controller even though he or she will never have actual access to the data.”

In this regard, the Sponsors of clinical trials are responsible to comply with the GDPR regarding the processing of personal data and should implement a privacy program that garantees compliance with applicable laws in all moments of the trial.

The reality is that a lot of Sponsors rely on the CRO, or expect the CRO to fill in some privacy advisor capacity, instead of investing in strategies to build a strong privacy program. It is true that many Sponsors are non-EEA/UK based companies hence have no idea on how to comply with EEA/UK laws, but the lack of knowledge is not an excuse for the lack of compliance, so Sponsors should find a way to ensure privacy compliance, in particular when GDPR is in scope, due to the high standards of its application and the high risks of a failure to comply.

For me, training is key, whether it’s outsourced or performed by internal resources, Sponsors need to have a clear understand of it’s privacy obligations in order to be able to address the risks. On another hand, appointing a DPO, either internal or external, despite of the discussions about this being or not a mandatory requirement, would support compliance and would allow companies to implement privacy by design strategies that would contribute for a better awareness within the company.

However, it’s crucial for this privacy compliance support to be effective, that whoever is providing it, has a clear understanding of the company business practices and procedures. Articulating industry knowledge with privacy expertise is essential for the success of the privacy program.

With this being said, I’m not saying that CROs shouldn’t collaborate nor support the Sponsors in ensuring compliance with applicable privacy laws, they must; and the idea about implementing a strong privacy program applies to the CROs as well; but privacy compliance in the scope of scientific research must be seen as a team effort and both Controller and Processors shall understand its obligations and how to better interact to fulfill trial objectives and compliance goals, without jeopardizing study timelines.

In this regard, my advice is for Sponsors, to include privacy compliance as a priority in their organizational strategies and invest in creating internal or external teams, able to support business goals while ensuring privacy compliance during all processing operations. Usually, privacy is seen as a nice-to-have service/department, but there’s no sustainable growth without compliance, so it is important to change the mindset and elevate privacy compliance as a priority for the organizations that mandatorily process special categories of personal data (e.g.: health data even if it’s key-coded) in the scope of its core activities.

DCA