Stringent data privacy standards, set to come into effect in the EU this May, call for urgent investment in compliance measures throughout the clinical trial recruitment process.
On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) will go into effect. The most significant legislative update to data privacy regulation in decades, the GDPR will standardize information security across the EU, put agency over personal data back in the hands of EU citizens, and guide the ways that businesses, organizations, and governmental bodies protect sensitive information.
Once the GDPR goes into effect, individuals will have expanded rights to information regarding the use of their personal data. In turn, healthcare professionals will have greater obligations when it comes to protecting and processing medical information. Before potential participants enroll in a trial, they’ll be entitled to an explanation of what data will be processed, where it will be transferred to, who will be handling it, what the data will be used for, and what risks are involved.
It’s essential that sponsors and CROs engaged in the clinical trial recruitment process understand how they’ll be required to update their data collection and protection protocols per the GDPR. The transition toward GDPR-compliant security infrastructure doesn’t need to cause widespread institutional disruption — so long as industry stakeholders prepare sooner rather than later.
What Does the GDPR Mean for Clinical Trial Recruitment?
Clinical trials must take care to determine which provisions of the GDPR apply to them when handling patient data. The far-reaching legislation empowers EU regulators to levy heavy financial penalties on those who aren’t in compliance by the May deadline — and that’s not just aimed at organizations based in Europe. Any entity that collects or processes the personal data of those residing within the EU has to comply, whether they’re based in Brussels or Buffalo.
Under the GDPR, patients will have a legal right to strengthened conditions of informed consent. When a patient signs an informed consent form, it must state what information is being collected and why in a clear and accessible way. But in many cases, clinical trial data falls under a unique category; because the information is necessary for medical research, patients who sign these forms will opt out of the “right to erasure.” To prevent further data collection, patients must be able to exit the clinical trial as easily as they entered it.
One crucial component of GDPR-regulated data collection in clinical trials is the distinction between pseudonymization and anonymization. Any pseudonymized data that can still be tied to an individual patient with the help of other information will still be considered personally identifying information (PII). Only fully anonymized data will lose the PII label, so trials must make the distinction between these two data types in trial protocols.
How Can Sponsors and CROs Prepare for the GDPR?
The time has come to make the transition. When the May 25 deadline rolls around, organizations will either be compliant or non-compliant — and risk incurring exacting fines if they fall into the latter camp.
While there’s no quick and easy way to prepare for the GDPR, parties involved in clinical trial recruitment can begin by designating their Data Protection Officer. This newly required role will be the liaison between their teams and EU regulators during reviews and, especially, during potential data breaches. By working with Data Protection Officers to ensure that planned clinical trials are fully compliant with the GDPR, sponsors and CROs can avoid costly reviews and amendments to existing consent forms and recruitment documentation.
Ultimately, clinical trial stakeholders may want to work with reputable industry partners in order to ensure that their data protection policies and recruitment protocols are in line with the GDPR’s standards. Although the costs to reach full compliance may seem like nothing more than a regulatory hurdle, they point toward a future for medical data that puts patient needs — and privacy — first.