How to manage data protection policies/ SOPs and contract review in clinical trials?
January 25th, 2024
In the dynamic and highly regulated field of clinical trials, effective management of Standard Operating Procedures (SOPs) and meticulous contract reviews are crucial for ensuring compliance, maintaining quality, and fostering innovation. In this regard, the EU General Data Protection Regulation (GDPR) aims to protect personal data and guarantee respect of individual’s rights and freedoms.
The GDPR applies to both organizations processing personal data within the European Union (EU) and the European Economic Area (EEA), and those located outside the EU/EEA but handling personal data of European citizens. Organizations falling within the GDPR’s scope must put in place appropriate technical and organizational measures to ensure that, by design and default, such personal data is adequately protected against unauthorised use (Art 25 GDPR).
This communication explores key strategies to ensure that data protection and privacy within such organizations is adequately considered within the context of clinical trials. The key strategies in focus are the data protection policies, SOPs and contractual agreements.
Data Protection policies and SOPs are one of the key elements to ensure data protection by design and default.
The Life Science industry is highly regulated, and SOPs help companies to comply with relevant requirements by ensuring consistent performance. This is important since non-compliance can result in monetary penalties, recalls, or legal action.
Article 25 of the GDPR outlines the obligations concerning data protection by design and by default. That said, GDPR does not provide clear instructions as to how companies must ensure this requirement. Arguably, implementing appropriate data protection SOPs and accurate data protection agreements are both key elements within organizations’ repertoire of compliance strategies.
The main objective of an SOP is to ensure that tasks are performed consistently and correctly. In turn, this can be highly beneficial for companies specialized in life sciences.
When processing health data during a clinical trial, it is important to avoid or mitigate the risks of personal data breaches.
This threat is exacerbated due to the numerous stake-holders involved in a clinical trial life-cycle. This involves CROs, laboratories, medicial writers, phamacovigilence services etc. That said, personal data breaches may cause a ripple effect which further disrupts internal processes, causes delays and overall negatively impacts study subjects.
Notably under the GDPR , organizations can be held liable for a personal data breach. Data breaches are a real threat that every organization must account for. According to a Ponemon Institute and RiskRecon study, between 2021 and 2022, 54% of surveyed organizations suffered a data breach caused by a third party. Also, European Union Agency for Cybersecurity (ENISA) issued a report revealing that ransomware in the healthcare sector accounts for 54% of cybersecurity threats.
But how can you prepare for this threat, and what else does the GDPR say about third-party security practices? It is imperative to implement a data breach SOP that guides companies’ employees in case of an incident. Additionally, all stakeholders involved in a clinical trial should know what to do and whom to inform, should a data breach occur. These instructions should be clearly stated in the contracts.
Prioritize risk-based contract reviews
Besides SOPs, contractual agreements regulating data protection and GDPR are important. Organizations consistently share personal data with third parties, but can those parties be trusted and are the data transfers performed securely? Therefore, contracts should be reviewed thoroughly and include the following pertinent information:
- Role qualification (controller, joint or independent controllers, processor) of parties involved in the processing of personal data.
- Data Protection Agreement (DPA).
- All the responsibilities for each party are clearly defined in the DPA, depending on the role qualified (Controller, joint controller, processor).
- Who handles data breaches and perform notification to Data Protection Authorities (in case it is needed).
- Who replies to data subject requests?
- Description of technical and organizational measures to guarantee the protection of data by service providers (processors).
- Location of parties: are they located within or outside the EEA?
- Is the country outside EEA is an adequate country?
- Are transfers of personal data to non-adequate countries covered?
Cross-functional contract review by lawyers and experts in the clinical trials is an optimal solution.
The necessity of a cross-functional team within contract reviews should not be undermined. In order to ensure a thourough and holistic review of such contracts, it is necessary to involve various sectors, including legal, DPOs and operational experts within the clinical trials sector. This collaborative approach ensures that contracts are assessed from multiple perspectives, reducing the likelihood of oversights.
The GDPR requires companies to implement appropriate technical and organizational measures which ensure data protection principles and safeguard individual’s rights and freedoms. SOPs and contract reviews are part of the key elements required to ensure ‘data protection by design and by default’.
In essence, this means organizations must integrate or ‘bake in’ data protection into their processing activities and core business practices, throughout the entire project life-cycle which aims to process personal data (from design, during conduct and archival). This is not a novel concept. Previously known as ‘privacy by design’, it had always been part of data protection law. The key change with the GDPR is that it is now a legal requirement. Data protection by design is about considering data protection and privacy issues upfront in all the processing activities of a company. It can help companies ensure compliance with the GDPR’s and demonstrate accountability (Art. 5 GDPR).