Tamsyn Frost (IDEA Regulatory) and Xavier Gobert (MyData-Trust)
New laws and regulations present challenges to all businesses, but the way they impact clinical trials is especially complex. When the GDPR was introduced in 2018, it was designed with broad data protection in mind, but these requirements don’t apply neatly to clinical trials.
The GDPR states that organisations cannot process sensitive data, albeit with some exceptions. However, by its very nature, clinical trials involve highly sensitive data – an individual’s health data – which means sponsors, investigators and CROs must manage multiple conditions and parameters to legally process that data.
The responsibility for the sponsor is immense. They must align their policies and SOPs with the GDPR and ensure control of how the data is processed. While the sponsor can delegate the task of data compliance to a third party, ultimately they are responsible, so it’s imperative they have a clear understanding of activities involved, and an experienced data protection officer (DPO) to ensure compliance with the regulation.
The GDPR also has a profound effect on service providers, which must align their services with the sponsors in terms of GDPR implementation. The regulation allows CROs and sites to collect patient data only for the purpose of the study, which means data can’t be used for internal purposes. Once the contract to manage a clinical trial has ended, sub-contractors must send that data back to the sponsor and delete any data they hold to avoid the risk of data breaches.
Adjusting to new regulations
On top of GDPR, clinical trials face another significant regulation – the clinical trials regulation (CTR), which is set to replace the clinical trials directive, although a date for implementation has yet to be confirmed and will depend on the Clinical Trials Information System being fully functional.
Perhaps one of the biggest challenges with the CTR is that it remains scant on detail, particularly as it applies to the role of the legal representative. Currently, the only information published about the legal representative is a line of text in the regulation — stating “Such legal representative shall be responsible for ensuring compliance with the sponsor’s obligations pursuant to this Regulation …” – and three questions in a Q&A document.
The new regulation, however, ultimately is expected to clarify the role of the legal representative. In some situations, a legal representative won’t be required, however, where they are, that person takes on a more significant role than they did previously, and must ensure the sponsor knows their responsibilities.
To manage both CTR and GDPR, therefore, sponsors need the support of experienced regulatory professionals.
Data Protection Responsibilities
When a sponsor seeks the support of a DPO, the data protection company they turn to becomes the point of contact for the supervisory authorities and must be inspection ready.
That means the consultancy must have the necessary documents ready to present to the authorities to demonstrate the client’s GDPR implementation strategy, records on data security and a clear explanation of the security process, a copy of any contracts with sub-contractors, a list of all employees at the client and proof they have been trained on GDPR, as well as the name of the DPO and their qualifications.
The DPO must ensure clients have included GDPR in informed consent protocols, in how they handle information about investigators and in all data management plans.
Given the complex nature of the GDPR as it applies to clinical trials, the DPO needs knowledge of regulation, the intricacies around how the regulation is implemented and the issues specific to clinical trials.
Adding to the complication of the GDPR is that, while it is a single EU regulation, there are 30 different national implementations, often with very different local recommendations. In fact, those differences can even occur within one country. For example, Germany has regional supervisory authorities in addition to a federal authority, meaning a study in Munich may have a different way of interpreting parts of the GPDR than one in Hamburg. The DPO needs to be able to adapt the advice based on these differences, and that requires the support of an experienced team of lawyers and clinical research experts.
In addition to an experienced team to draw upon, therefore, the DPO needs both general expertise and specific training. At MyData Trust, DPOs have backgrounds in clinical research, regulatory affairs, clinical product management and data management. They know how a trial is conducted, they know the regulation as it pertains to clinical data and they are trained for six months on the GDPR.
To work as a DPO, they are sent to the University of Maastricht in the Netherlands for intensive training before receiving certification that allows them to bridge clinical regulations and the GPDR.
The Role of the Legal Representative
Much like the DPO, the legal representative is there to help non-EU sponsors understand their obligations, inform them of compliance issues, and make sure the sponsor is well-educated and understands the regulations, processes and procedures.
However, unlike the DPO, the legal representative or consultancy is responsible if they don’t follow procedures and something goes wrong, for example if a patient’s data or health is put at risk.
The legal representative must also ensure clients are compliant with all regulations, including GDPR, which means checking the sponsor has a DPO and understands the GDPR responsibilities.
To be qualified and able to support clients, the legal representative must also have a background and training in the industry in order to understand the regulations and processes involved in clinical studies. IDEA Regulatory has brought together a team of experts in organic chemistry, immunology, and genetics with backgrounds in regulatory affairs, CMC (chemistry, manufacturing and controls), academia and hospitals. Where needed, scientific experts are put through a TOPRA apprenticeship (The Organisation for Professionals in Regulatory Affairs).
Time, flexibility and expertise
Both the GDPR and the legal requirements around establishing a clinical trial in Europe are complex and time consuming, and companies should ideally allow around six months to prepare.
Sponsors should align their SOPs and policies, train their people and validate their IT systems before collecting data. However, as MyData Trust has found, sponsors regularly turn to a data protection specialist a week or two before the study is due to start. As a result, the data protection team must change priorities, review the informed consent forms, review the input from the ethics committees and adapt processes to meet the deadlines. That’s where an experience, highly trained team is crucial to quickly interpret the GDPR in the context of the trial and ensure clinical research is not held up.
Similarly, clients will turn to IDEA Regulatory in the middle of an ethics review process after being told that their trial isn’t approvable because they don’t have a legal representative.
The complex and global nature of clinical trials pose many difficulties when it comes to GDPR. For example, there is currently no legal mechanism for transferring data between regions. Yet non-EU sponsors must be able to access the data from European sites to conduct clinical research. That requires flexibility and deep understanding of the regulation to determine the best path for managing those data transfer issues.
While proper processes and procedures must be followed, the GDPR needs to be considered in the context of the initial premise, which is how clinical research and the data from those studies can benefit patients in need. Dedicated as the business is to healthcare and the life sciences, data protection experts at MyData Trust understand this and take this into account when implementing GDPR.
A pragmatic approach to GDPR means carefully documenting the way data is being used, the processes being used and ensuring all these details, including any potential non-compliance, are properly communicated to the supervisory authorities.
Documentation is key to accountability for both the GPDR and for the clinical processes that the legal representative oversees. Indeed, as experts in both GDPR and clinical data will attest, if it’s not documented, it doesn’t exist.
Liaison with the supervisory authorities is also important, particularly since the authorities have little understanding about the intricacies of clinical trials. MyData Trust seeks to work with a single point of contact at each authority, partnering with the authority to improve processes around data protection. The company also holds conferences to which supervisory authority representatives are invited to help them understand the industry issues more deeply, and to connect them with the sponsors to improve communication, which is key to improving compliance.
In addition, MyData Trust collaborates with organisations such as the European CRO Federation (EUCROF) to clarify the role of sub-contractors in Europe as it pertains to data protection.
As with the GDPR, interpretation of the CTR requires a pragmatic approach, plenty of experience and a good relationship with the authorities.
While IDEA doesn’t liaise as much with the authorities when acting solely as the legal representative, where the company acts as a regulatory consultant, steering small to medium-sized enterprises through the guidances, the team works more closely with the regulators. This is a liaison role not just to support the sponsor, but also to guide the regulators in what is often novel science.
For example, if there are no guidelines for a specific non-clinical model, IDEA’s team of experts works with the regulators to structure the argument for the study in a clear, patient-focused way. The IDEA team must also educate the sponsors on the regulations and guidelines and how these pertain to their specific circumstances.
Staying on the right course
To safeguard clinical trials and the patients in them, sponsors must ensure they are abiding by the regulations. For a non-EU sponsor, that means having a knowledgeable legal representative and an experienced, highly qualified DPO supported by teams of legal and clinical experts.
As the CTR comes into force, non-EU sponsors will need to plan their European clinical strategies more carefully, particularly where novel, complex science is involved. At the same time, they must ensure they understand their obligations in terms of data protection. These regulations are highly complex and often fluid. Having the right level of support and expertise is therefore of paramount importance.