Is it necessary to submit a DPIA to Regulatory Authorities for Clinical Studies in the EU? An Overview of the Requirements in France, Ireland, and Spain
Clinical trial sponsors are required to fulfill different regulatory submission obligations in different Member States within the European Economic Area (EEA).1 This is especially true for the requirement to carry out a Data Protection Impact Assessment (DPIA) before: (a) submitting a jurisdiction-specific application for health research authorization; (b) submitting a research application to an ethics committee; or (c) kicking off a clinical trial.
What Is a DPIA?
A DPIA is a helpful, and often mandatory, assessment that data controllers perform to identify and guide the mitigation of privacy risks posed by certain data processing activities. This can be relevant in the context of a clinical trial where substantial volumes of sensitive personal data of clinical trial participants (such as health, genetic, and biometric data) are processed before, during, and after the clinical trial.
Additionally, the conduct of a DPIA can demonstrate compliance with the EU General Data Protection Regulation (the GDPR) given that the requirement to conduct a DPIA stems from Article 35 of the GDPR and forms an integral part of the GDPR’s accountability obligations. According to Article 35, a DPIA is mandatory when the processing of personal data is likely to result in a high risk to the rights and freedoms of individuals. A similar requirement exists in other privacy laws, including the laws of certain states in the U.S.
An Overview of the Requirements Set Out By France’s CNIL, Ireland’s NREC, and Spain’s AEPD/Farmaindustria
France’s data protection supervisory authority, the Commission Nationale Informatique & Libertés (CNIL), Ireland’s National Office for Research Ethics Committees (NREC), and Spain’s national trade association of the pharmaceutical industry, have differing guidelines on DPIA requirements for clinical trials.
The CNIL, issued recent guidance that expands upon the formalities required for the submission of an application for the authorization of health research. The position taken by the CNIL is that, as a general rule, the processing of personal data that requires authorization by the CNIL, such as that required for the conduct of a clinical trial, requires that a DPIA be carried out.
The CNIL recommends carrying out a DPIA before filing the application for the authorization of health research, and include it in the application. If the organization does not provide the DPIA, the CNIL can request the DPIA during its examination of the application. The CNIL does allow for exceptions to the requirement to carry out a DPIA. In cases where a DPIA is not deemed necessary by the clinical trial sponsor, the sponsor must provide a justification for why it is not needed in their authorization application to the CNIL.
The CNIL offers controllers an open source software tool to assist in the completion of DPIAs in accordance with the CNIL’s DPIA methodology, as well as DPIA templates. The language used by the CNIL in relation to such tools and templates implies that their use is optional, and the DPIA templates stress that the templates act as an aid which may be adapted to each particular context. However, as noted above, it is important to keep in mind that the CNIL has published its own DPIA methodology and it would be prudent to incorporate this into the sponsor’s DPIA templates if the CNIL’s templates are not being used. Although it does not appear to be mandatory for the DPIA to be submitted with the authorization application, it is advisable that a DPIA be carried out prior to submission of the authorization application and remain on hand so that sponsors can demonstrate compliance with the CNIL’s DPIA methodology, and be able to promptly submit the DPIA if it is requested by the CNIL.
If your company is involved in a clinical trial in Ireland, it’s important to be aware of the guidance issued by the NREC on data protection for research purposes for applicants. In most cases, the conduct of a clinical trial will require a DPIA according to this guidance because of the processing of health data implicit in the conduct of a clinical trial.
The NREC requires that DPIAs be submitted with the research application for review by the ethics committee, but applicants can submit a statement explaining why a DPIA is not required.
The NREC requires that the DPIA be completed by the controller and reviewed by its Data Protection Officer (DPO). The advice of the DPO must be clearly recorded as part of the DPIA. Where a controller has not appointed a DPO, the DPIA is to be reviewed by “a person with the equivalent role and responsibilities to a DPO”.
Additionally, if a controller is situated outside of Ireland, the NREC recommends that the DPO of the lead Irish-based study site be given the opportunity to review and provide comments on the DPIA.
The NREC has confirmed that it will not issue a DPIA template but will rather accept submissions using the applicant’s DPIA template. The data protection authority of Ireland, the Data Protection Commission, has not published a DPIA template either. However, it has published a Guide to DPIAs, which details the requirements for a DPIA.
Spain’s AEPD and Farmaindustria
Spain’s national trade association of the pharmaceutical industry, Farmaindustria, issued a Code of Conduct Regulating the Processing of Personal Data (the Code), which was approved by the data protection authority of Spain, the Agencia Española de Protección de Datos (AEPD). The Code requires the completion of a DPIA before the start of a clinical trial, with the option to perform a single DPIA for all of the clinical trials conducted by the clinical trial sponsor.
While the Code is silent on the submission of the DPIA to the AEPD, as with France, it is advisable to have one on hand to demonstrate compliance with the Code and Spain’s data protection framework in general.
The Code specifies that the study site and the clinical trial sponsor (with the involvement of their DPOs) must complete a DPIA where they specify their respective processing activities.
Additionally, the Code requires that the clinical trial sponsor’s DPIA include a specific analysis of the coding process that will be used to pseudonymize patient data, with a focus on the risks and consequences of the unauthorised reversal of the coding. It is left up to the study site and clinical trial sponsor to each establish a methodology for carrying out their respective DPIAs that covers the required aspects mentioned in the Code. The methodology may be based on published and approved methodologies by supervisory authorities.
The AEPD has published a DPIA template (which may be adapted as necessary), Risk Management and DPIA Guide, DPIA Checklist, and an “Evaluate-Risk GDPR” tool which helps with, amongst other things, the identification of risks to the rights and freedoms of individuals. Although not explicitly mandatory, the AEPD’s DPIA template is noted by the AEPD as containing the minimum chapters and sections that must appear in a DPIA, with the aim of helping controllers comply with the GDPR.
What is the Position of Other Data Protection Authorities Across the EEA?
Data protection authorities across the EEA generally require the completion of DPIAs for the large-scale processing of health, biometric, and genetic data, which is often implicit in clinical trials.
Although not all the data protection authorities provide clarity on whether DPIAs must be filed with the relevant regulatory authorities, it is generally required that the DPIA be completed before the processing activity in question takes place (in other words, before the clinical trial starts).
How to Prepare Your Organization to Be Compliant with the DPIA Requirements
To proactively comply with the DPIA requirements and demonstrate an overall compliant privacy posture, an organization should identify where its data lives and how it’s used, protected, and shared. Data mapping is a way to comply with the requirements related to the maintenance of records of processing activities as set out in Article 30 of the GDPR. For more information on the requirements and nuances of Article 30, please see this blog post published by VeraSafe. Accurate data mapping allows DPIA preparers to quickly source the necessary information from a comprehensive inventory of processing activities.
The Role of the DPO
As is evident from the discussion of jurisdictions such as Ireland and Spain, your DPO’s involvement in the preparation of DPIAs is not only often required in certain jurisdictions, but also crucial. It is also mandated by Article 39 of the GDPR. DPOs are required to have specialized knowledge of data protection law and understand your data processing activities to be able to provide invaluable input on how best to align your DPIA with jurisdiction-specific requirements across the EEA. This should be kept in mind when you appoint a DPO for your organization.
How We Can Help You
VeraSafe has assisted many dozens of clients in the Life Sciences industry, including clinical trial sponsors and CROs, in complying with the GDPR. We offer bespoke data mapping services, considering not only compliance with the GDPR’s records of processing requirements, but also understanding the utility of a complete and current data map in the efficient completion of a DPIA, specifically when a clinical trial sponsor wishes to conduct multi-jurisdictional clinical trials.
We can also help you complete DPIAs for your clinical trials, using either the mandated jurisdiction-specific templates issued by regulatory authorities or VeraSafe’s own industry-standard DPIA templates. VeraSafe also offers DPO services and serves as DPO for numerous prominent Life Sciences companies.
If you have any questions regarding DPIAs and clinical trial submissions, or if you would like assistance with kickstarting or improving your organization’s overall GDPR compliance, VeraSafe is here to help. Click here to read more about our comprehensive GDPR compliance services relating to clinical trials.
The EEA includes EU countries as well as Iceland, Liechtenstein, and Norway.