Track record of successful GDPR implementations across industries.
Thank You!
We’ll be in contact shortly.
Leverage VeraSafe’s deep experience advising sponsors of EU clinical trials
VeraSafe provides a complete solution to ensure that your clinical trial is conducted in compliance with the EU General Data Protection Regulation (“GDPR”). Through numerous successful GDPR implementations ranging from small single-site phase I trials, to large multi-site phase III trials that involve clinical sites in multiple EU member states, VeraSafe has developed a highly specialized practice at the intersection of clinical trials and the GDPR.
Take the first step now by contacting VeraSafe for a no-obligation quote.
As part of VeraSafe’s expertise in this specialized area of law, our team is highly experienced in steering clinical trials through the requirements of not only the GDPR, but also local EU member-state legislation and regulatory guidance. VeraSafe also has specific expertise in managing the interplay between the GDPR, the EU Clinical Trial Regulation (“CTR”), and Good Clinical Practice guidelines (“GCP”). Rely on our expertise gained serving as the Data Protection Officer for numerous prominent pharmaceutical companies for assurance that your clinical trial will be GDPR compliant.
VeraSafe’s tried and proven project management methodology ensures that we are able to meet tight deadlines and accommodate aggressive study timelines. Your VeraSafe project team will include a qualified project manager who is responsible for managing the overall pace, organization, and efficiency of your compliance project. The project manager has the ability to draw on the resources and expertise of the entire VeraSafe team, when needed, to accelerate the completion of deliverables.
A foundational first step towards GDPR compliance is to develop your organization’s records of personal data processing activities. Article 30 of the GDPR requires study sponsors to maintain accurate records of their data processing activities. VeraSafe will assist your organization in developing these records and implementing internal processes to facilitate ongoing updates of such records.
ICFs are often used as a venue to provide the requisite privacy notice (informally known as a “privacy policy”) to patients, as required by Articles 13 and 14 of the GDPR. These required disclosures can be made within the main body of the ICFs or can be relegated to an appendix or attachment to the ICFs (among other options). VeraSafe can review your ICF templates and revise them, as needed, to ensure compliance with Articles 13 and 14 of the GDPR. VeraSafe is sensitive to the requirement that ICFs be concise and written using plain language to ensure intelligibility by patients.
VeraSafe can tailor ICFs on a country-by-country basis, according to member state guidance and local practice, such as where EU member states vary in their preference in terms of the sponsor’s lawful basis of processing personal data (per Articles 6 and 9 of the GDPR).
As an alternative to using ICFs as a means to provide the requisite privacy notice disclosures to patients, VeraSafe will draft a standalone privacy notice to enable your organization’s compliance with the privacy notice obligations of the GDPR. VeraSafe can review and revise your current patient privacy notice or create a new patient privacy notice for your clinical trial, as needed.
The GDPR requires a written contract to be signed between your organization and each of its vendors that have the technical or physical ability to access clinical trial patient data or personal data of site staff. Such vendors typically include contract research organizations (“CROs”), labs, and cloud software providers, among others. Compliance with this obligation is most frequently accomplished by signing a data processing addendum (“DPA”) with such vendors.
These DPAs must include a number of specific provisions to mandate that the technical and organizational measures by which the vendors secure personal data meet the high standards of the GDPR. VeraSafe will assist your organization in reviewing these vendor contracts and, if necessary, directly support or lead the effort to negotiate and sign a DPA with each of your organization’s relevant vendors.
Much in the same way that your organization must implement DPAs with its vendors, a sponsor must ensure that clinical sites also are subject to a DPA. Data processing addenda can be attached to your clinical trial agreements that are signed by your clinical sites. The data protection terms contained within these DPAs can be made country-specific, e.g., depending on whether a clinical site is a processor or a controller in that jurisdiction.
In case your clinical trial involves collaboration partners that receive study data (even key-coded data) outside of the European Economic Area (“EEA”), a specialized data transfer agreement may need to be implemented between your organization and the collaboration partner(s). VeraSafe will draft this data transfer agreement and, if necessary, assist your organization in negotiating and signing the agreement with your organization’s collaboration partner(s).
Clinical trials in the EU inevitably involve processing personal health data, which must be archived for an especially long period of time in a clinical trial master file. For these reasons, a Data Protection Impact Assessment (“DPIA”) is typically required under the GDPR as part of a sponsor’s preparation for a clinical trial. In conducting your Data Protection Impact Assessment, VeraSafe will leverage its well-developed methodology and specialized templates specific to DPIAs for clinical trials.
A clinical trial sponsor’s internal policies and procedures typically require some level of revision to help ensure that business operations are aligned to the GDPR. To meet this challenge, VeraSafe has painstakingly developed a library of data protection-related standard operating procedure templates that can be easily customized to fit your particular circumstances. VeraSafe can also refine your existing policies and procedures to embed the requisite GDPR operational requirements into your existing business process documentation.
In practice, a number of patient privacy rights established under the GDPR are effectively limited by countervailing obligations under the EU Clinical Trial Regulation. However, the sponsor must nevertheless ensure that patients have a means to request the exercise of their privacy rights. To comply with this requirement but avoid violating the confidentiality requirements of Good Clinical Practice guidelines, VeraSafe can serve as your organization’s point of contact for patients who wish to exercise privacy rights available to them under the GDPR.
Article 32 of the GDPR establishes a broad requirement for strong data security in pursuit of overall privacy protection. If requested, VeraSafe can review your organization’s IT security policies and procedures against the VeraSafe Privacy Program Certification Criteria, which is a highly actionable set of requirements that merges the GDPR’s risk-based approach with the U.S. National Institute of Standards and Technology’s Cybersecurity Framework for Critical Infrastructure (“NIST CSF”). This data protection standard provides the basis of a high-assurance assessment of compliance with Article 32.
Clinical trial sponsors are typically subject to the GDPR’s requirement to appoint a Data Protection Officer (“DPO”). Appointing VeraSafe as your organization’s DPO is an exceptionally easy and cost-effective approach, which ensures your compliance with this important obligation.
As your DPO, the entire VeraSafe team of privacy experts, in-house attorneys, IT security experts, and project managers will be available as your data protection subject matter experts. Going beyond the compliance activities described above, our team will help monitor your organization’s compliance with the Regulation and proactively identify compliance strategies, opportunities, and risks.
The GDPR requires many organizations that are regulated by the GDPR but that have no physical presence in the EU to appoint an official representative located in the EU for the purpose of responding to the inquiries of European regulatory agencies and data subjects.
By appointing VeraSafe’s European subsidiary as your organization’s official EU representative for data protection, you can rest assured that your organization complies with this often-overlooked requirement.
“VeraSafe has been an invaluable partner to support our data privacy and data protection program at Vigil. They’ve been able to provide deep expertise in support of our global clinical trial activities and are an important part of our team.”
Kevin Durfee, Head of Information Technology
Vigil Neuroscience
“We appointed VeraSafe as our Data Protection Officer to help us comply with data protection rules for our clinical trials in the EU. From the project kickoff, it was clear that we had made the right choice. VeraSafe’s deep knowledge of the regulation of clinical trials and the GDPR was immediately apparent. The advice we received was relevant, appropriate, and practical to implement within our organization and our clinical operations.”
Founder and CEO
Biotech Specializing in Immunotherapy
“VeraSafe’s subject matter expertise in the regulation of clinical trials was relevant to our regulatory submissions and was apparent from the project kickoff and throughout the project. It has been a pleasure working with such professional, highly-qualified, and competent people.”
VP Legal
Leading Oncology-Focused Biopharmaceutical
Track record of successful GDPR implementations across industries.
Work directly with our in-house team of US and European attorneys, IT experts, and project managers.
Strategic, risked-based approach to compliance.
Fully customizable DPO program, tailored to fit your needs.
Holistic approach: We help you identify business opportunity hidden inside the GDPR.
Going beyond just EU privacy law, VeraSafe is your end-to-end partner for the entire privacy and cybersecurity domain.