Blog
GDPR and DCTs: Don't be complacent about compliance
How to embed data privacy into decentralized trial designs
Owen Corbin, Senior Director of Data Privacy and Regulatory, IQVIA
Nov 22, 2021

The pandemic may have pushed sponsors to embrace decentralized clinical trials (DCT) faster than they originally intended, demonstrating real benefits for patients, sites, and sponsors.

But for all the benefits, DCTs also present some hidden challenges related to data privacy and regulatory compliance. These issues must be addressed in trial planning, or sponsors risk making seemingly insignificant decisions that could lead to huge fines and penalties.

Patient data in the EU

The key to data-related compliance in DCTs is paying attention to all the authorities that regulate patient data privacy – not just the health agencies.

The EU's General Data Protection Regulation (GDPR) is the most well-known and far-reaching. Established by the European Data Protection Board (EDPB), GDPR is among the strictest data privacy rules globally and can result in fines of up to €20 million, or four percent of revenue for organizations that blatantly disregard it.

Most sponsors are broadly aware that GDPR requires patients to provide consent as a condition of reviewing and using their data in clinical trials. But they may not realize that GDPR places strict controls on what data study teams can collect, how and where they store it, how they contact patients, what details can be given about a patient’s condition, and who is allowed access to the data. Sponsors must comply with all aspects of the rule and prove compliance to auditors.

That compliance can vary based on how the rule is interpreted by each country’s national protection authority, which means trial plans that span borders must be adapted to meet each local interpretation.

Technology is not enough

An excellent first step in this journey is choosing a DCT platform designed to adhere to GDPR rules as they are applied in each EU nation. However, the technology alone is not a guarantee of compliance.

Sponsors also need to define how they plan to adhere to the rule and demonstrate compliance to Regulators should there be any data privacy concerns. Documenting this includes all relevant training, firewalls, and quality management strategies that will be used to ensure separation of the staff acting on behalf of the site and patients and the study team tasked with ensuring the quality of the data collected.

IQVIA uses Data Protection Impact Assessments (DPIA) to help sponsors map the data collection workflow used in DCTs and demonstrate compliance to investigators. DPIA's have been used by tech companies for years to identify and document data privacy risks in their platforms, and they can be equally valuable in a clinical research setting.

A DPIA is a documentation process used to evaluate adherence to data privacy rules and identify and minimize any potential risks in that environment. The DPIA covers the technology used to capture and store patient data, how it will be used, stored, and deleted, who has access to it, and how it will be pseudonymized before monitors review it.

Conversation starter

Using a DPIA doesn’t just ensure all the necessary data privacy process flows are recorded. It creates a framework for conversations about how data will be safely captured, stored, and managed throughout the DCT, from first contact through the end of the trial and later follow-up.

Following a DPIA causes sponsor teams to ask questions about whether data collection and storage methods align with local patient privacy rules and how the team will verify that the data they collect is protected and necessary to support the trial’s goals. Then once the trial begins, if regulators require proof of adherence to GDPR, the DPIA becomes the paper trail sponsors need to prove compliance and avoid potential penalties.

Even with a DPIA, adhering to GDPR can feel like a daunting challenge for sponsors who often lack the expertise on their teams to vet their data collection strategy thoroughly. Finding a partner with experience running DCTs in the EU and addressing GDPR concerns can give them the insights they need to launch these trials in the future confidently.

Related solutions

Contact Us