GDPR Compliance Services for Clinical Trials

A foundational first step towards GDPR compliance is to develop your organization’s records of personal data processing activities. Article 30 of the GDPR requires study sponsors to maintain accurate records of their data processing activities. VeraSafe will assist your organization in developing these records and implementing internal processes to facilitate ongoing updates of such records.

ICFs are often used as a venue to provide the requisite privacy notice (informally known as a “privacy policy”) to patients, as required by Articles 13 and 14 of the GDPR. These required disclosures can be made within the main body of the ICFs or can be relegated to an appendix or attachment to the ICFs (among other options). VeraSafe can review your ICF templates and revise them, as needed, to ensure compliance with Articles 13 and 14 of the GDPR. VeraSafe is sensitive to the requirement that ICFs be concise and written using plain language to ensure intelligibility by patients.

VeraSafe can tailor ICFs on a country-by-country basis, according to member state guidance and local practice, such as where EU member states vary in their preference in terms of the sponsor’s lawful basis of processing personal data (per Articles 6 and 9 of the GDPR).

As an alternative to using ICFs as a means to provide the requisite privacy notice disclosures to patients, VeraSafe will draft a standalone privacy notice to enable your organization’s compliance with the privacy notice obligations of the GDPR. VeraSafe can review and revise your current patient privacy notice or create a new patient privacy notice for your clinical trial, as needed.

The GDPR requires a written contract to be signed between your organization and each of its vendors that have the technical or physical ability to access clinical trial patient data or personal data of site staff. Such vendors typically include contract research organizations (“CROs”), labs, and cloud software providers, among others. Compliance with this obligation is most frequently accomplished by signing a data processing addendum (“DPA”) with such vendors.

These DPAs must include a number of specific provisions to mandate that the technical and organizational measures by which the vendors secure personal data meet the high standards of the GDPR. VeraSafe will assist your organization in reviewing these vendor contracts and, if necessary, directly support or lead the effort to negotiate and sign a DPA with each of your organization’s relevant vendors.

Much in the same way that your organization must implement DPAs with its vendors, a sponsor must ensure that clinical sites also are subject to a DPA. Data processing addenda can be attached to your clinical trial agreements that are signed by your clinical sites. The data protection terms contained within these DPAs can be made country-specific, e.g., depending on whether a clinical site is a processor or a controller in that jurisdiction.

In case your clinical trial involves collaboration partners that receive study data (even key-coded data) outside of the European Economic Area (“EEA”), a specialized data transfer agreement may need to be implemented between your organization and the collaboration partner(s). VeraSafe will draft this data transfer agreement and, if necessary, assist your organization in negotiating and signing the agreement with your organization’s collaboration partner(s).

Clinical trials in the EU inevitably involve processing personal health data, which must be archived for an especially long period of time in a clinical trial master file. For these reasons, a Data Protection Impact Assessment (“DPIA”) is typically required under the GDPR as part of a sponsor’s preparation for a clinical trial. In conducting your Data Protection Impact Assessment, VeraSafe will leverage its well-developed methodology and specialized templates specific to DPIAs for clinical trials.

A clinical trial sponsor’s internal policies and procedures typically require some level of revision to help ensure that business operations are aligned to the GDPR. To meet this challenge, VeraSafe has painstakingly developed a library of data protection-related standard operating procedure templates that can be easily customized to fit your particular circumstances. VeraSafe can also refine your existing policies and procedures to embed the requisite GDPR operational requirements into your existing business process documentation.

In practice, a number of patient privacy rights established under the GDPR are effectively limited by countervailing obligations under the EU Clinical Trial Regulation. However, the sponsor must nevertheless ensure that patients have a means to request the exercise of their privacy rights. To comply with this requirement but avoid violating the confidentiality requirements of Good Clinical Practice guidelines, VeraSafe can serve as your organization’s point of contact for patients who wish to exercise privacy rights available to them under the GDPR.

Article 32 of the GDPR establishes a broad requirement for strong data security in pursuit of overall privacy protection. If requested, VeraSafe can review your organization’s IT security policies and procedures against the VeraSafe Privacy Program Certification Criteria, which is a highly actionable set of requirements that merges the GDPR’s risk-based approach with the U.S. National Institute of Standards and Technology’s Cybersecurity Framework for Critical Infrastructure (“NIST CSF”). This data protection standard provides the basis of a high-assurance assessment of compliance with Article 32.

Clinical trial sponsors are typically subject to the GDPR’s requirement to appoint a Data Protection Officer (“DPO”). Appointing VeraSafe as your organization’s DPO is an exceptionally easy and cost-effective approach, which ensures your compliance with this important obligation.

As your DPO, the entire VeraSafe team of privacy experts, in-house attorneys, IT security experts, and project managers will be available as your data protection subject matter experts. Going beyond the compliance activities described above, our team will help monitor your organization’s compliance with the Regulation and proactively identify compliance strategies, opportunities, and risks.

The GDPR requires many organizations that are regulated by the GDPR but that have no physical presence in the EU to appoint an official representative located in the EU for the purpose of responding to the inquiries of European regulatory agencies and data subjects.

By appointing VeraSafe’s European subsidiary as your organization’s official EU representative for data protection, you can rest assured that your organization complies with this often-overlooked requirement.