Is Your TMF Ready For GDPR? Part Three: Know Your Responsibilities

Is your TMF ready for GDPR? This is the third and final post of a series examining how the new European Union General Data Protection Regulation could affect your trial master file. See part one and part two which examine the basic roles within GDPR and the foundational rights of data subjects.

Serious Penalties and Extraterritorial Scope

GDPR has gained the attention of the clinical research industry for one cardinal reason: failure to comply with GDPR could result in, “administrative fines up to 20,000,000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher”. Turnover, in American accounting terms, equates to 4% of a business’ total revenue. The seriousness of these penalties is an unacceptable risk for any organization.

But GDPR is a European regulation, so why is there so much concern about GDPR expressed by U.S. based companies?

As opposed to the to the current EU privacy law, EU Directive 95/46/EC (which will be superseded by GDPR), the applicability of GDPR to a business depends on the location of the individual whose data is being processed, not the location of the data processing facility itself. Because of this extraterritorial scope many businesses can be subject to the Regulation in indirect ways:

  • An organization could be subject to GDPR if it’s equipment or servers are processing data that tracks behavior or offers goods or services to those in the EU.
  • A website could be subject to GDPR (regardless of where hosted) if available to individuals in the EU.
  • A U.S. based cloud service used by a U.S. based business could be subject GDPR if users within the EU are accessing the service.

Given the global interconnectedness of both the clinical trial industry and the information technologies that support it (especially the eTMF), the interrelationships between organizations can become complicated. The likelihood that any business handling clinical data performs at least some qualifying processing activity on data from the EU is very likely.

Controller’s Responsibility

Assessing the exposure of a business or business process to GDPR will be of the upmost concern to the clinical research industry and those who are responsible for creation and maintenance of a TMF.  Let’s take one quick moment to review the roles of processor, controller, and the action of processing itself:

Controller: ‘alone or jointly determines the purpose and means of processing personal data.’ All pharmaceutical companies and CROs (with few exceptions) would be considered a controller. A vendor who makes decisions about the processing of data could be considered a co-controller depending on their level of independence and executive freedom.

Processor: ‘processes data on behalf of a controller.’ Most clinical vendors and CROs (if not also considered a controller) would be classified as a processor.

Processing: “any operation or set of operations which is performed on personal data… whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.” Given the central role of data to the clinical trial and TMF, data processing will be found at the center of most clinical activities.

Under GDPR, controllers have significantly more responsibility than under the current Directive. Controllers are required to ‘demonstrate compliance with the principles related to processing of personal data’ (adapted from Article 5):

  • Personal data is processed with fairness and transparency
  • Personal data is collected for a specific purpose
  • Personal data is exposed to the least amount of processing required to achieve the stated purpose
  • Personal data is accurate, contemporaneous, and can be erased expediently
  • Personal data is subject to ‘pseudonymization’ as soon as the intended processing is complete (or immediately if possible). This will be discussed below.
  • Personal data is processed in a secure manner

Responsibility for Processors

We’ve already discussed some of the patient-facing outcomes of GDPR: the need for more in-depth informed consent, greater communication and foresight about the future use of data, and the need to produce or erase data on demand and on an accelerated timeline. Beyond these patient-facing considerations, however, GDPR impacts the key relationships operating behind-the-scenes of a trial: the relationship between processor and controller. GDPR goes into great detail outlining the nature of a compliant relationship between controller and processor. Although the full scope of GDPR’s requirements for the management of controllers is well beyond the scope of this blog post (see Articles 24-43), the most important shift is the significantly increased burden of responsibility that controllers have for their processors:

  • GDPR is completely unambiguous: controllers are fully responsible for their processors: “the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.”
  • As a result of this newfound responsibility, processors are must provide their controllers with greater transparency and are strictly bound to the controller’s instructions, “Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject”.
  • Controllers must also conduct risk assessment activities and are responsible for implementing validated technical safeguards.
  • Controllers and processors are also required to report breaches (or other potential misconduct) to regulators in the event such an event is observed.

Although the implications are extensive, the reality is simple: controllers are responsible for their processors and must take a supervisory role. For clinical research and the TMF, this means vendors should be selected with stringent standards. The vendor management process will also be more complicated due to the requirement of greater transparency, greater oversight needed over life of the study, and the need to fully map out the flow of data between vendors (and sub-vendors).

Key Concepts: Pseudonymization and the Data Protection Officer

In addition to the responsibilities of the controller and processor, there are two key GDPR concepts that are central to the regulation and certain to impact clinical research and the trial master file:

Pseudonymization: GDPR provides great incentive to data controllers and processors to remove direct identifiers from data as quickly as possible. GDPR, “does not relate to an identified or identifiable natural person or to data rendered anonymous in such a way that the data subject is no longer identifiable.” According to GDPR, pseudonymization is the act of, “processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately.” This means that if data can no longer be linked to a specific data subject, it is subject to less regulatory scrutiny. This does not mean the data must become anonymous, just that the link between subject and data is broken without the use of a separately guarded ‘key’. This pseudonymization concept is already employed in clinical research, with the use of subject numbers or initials to ensure that the patients’ identity is only available at the trial site or for urgent safety reasons. Enhanced use of pseudonymization will be a key tool that can be leveraged to keep researchers and their TMFs GDPR compliant.

The Data Protection Officer: The implementation of GDPR means you may have a new coworker in the office. According to Article 37 of GDPR, a, “controller and… processor shall designate a data protection officer” in any case where data is processed for a public authority, data may require regular or systematic processing, or in the case of large scale processing. Although early drafts of GDPR had an exception for small companies, this exception has not been carried through to the final version that will go live in May. GDPR does not establish qualifications for this individual but does stipulate the data protection officer should be an expert. The data protection officer is responsible for advising and monitoring compliance at an organization and should be given supervisory authority. Additionally, the data protection officer has several noteworthy rights: most importantly that they are protected from dismissal and retaliation and must be given independent access to data.

Final Considerations

We understand that GDPR presents a serious challenge to every clinical research organization and every trial master file. Although the steps your organization and TMF stakeholders must take will vary depend on your circumstances, let’s review the key takeaways of GDPR:

  1. GDPR is coming May 25th. Even if your organization does not have an office in the EU, chances are your organization is subject to the Regulation. The penalties for noncompliance are severe: no business can afford to ignore GDPR.
  2. The first step of GDPR compliance is taking the time to map how data flows through your organization and having a firm grasp on what roles within GDPR your staff and customers/subjects/associates fill.
  3. The patient-centered focus of clinical research brings your organization one step closer to GDPR compliance than other industries. Practices like pseudonymization and well-documented informed consent are also critical to GDPR. It is, however, important to recognize that although there are parallels between the principles of GDPR and of ethical clinical research, their can be subtle differences.
  4. GDPR will affect your bottom line and workload. Expect to devote more time and resources to vendor selection and management, to increase the breadth and frequency of quality control activities, and to require additional skilled staff (including a data protection officer).
  5. Expect your TMF to play a key role in documenting GDPR compliance.

Ultimately, when in doubt, return to the fundamental rights of data subjects and responsibilities of data controllers. These basic rights and responsibilities are the foundation of the Regulation and the nucleus from which all compliant action stems.