Protecting participant privacy with tailored compliance solutions for clinical trials
A global biotechnology company developing novel, multifunctional therapeutics to address difficult-to-treat cancers and other serious diseases faced a potential data protection challenge regarding the management of its clinical trials.
The сhallenge
Although the company is a data controller, a Contract Research Organisation (CRO) is contractually responsible for managing some Data Subject Rights Requests (DSRRs). Therefore, the company must ensure that the CRO is fully compliant with data protection requirements, particularly in safeguarding the rights of data subjects. The company needed a strategy to ensure proper compliance (and reduce liabilities) throughout its clinical trial processes.
Our approach
Our strategy involved three key activities:
Master Services Agreement (MSA) assessment
Review of the company’s MSA to determine whether the agreement clearly addressed each party’s data protection obligations, providing recommendations from our findings.
Contract Research Organisation (CRO) questionnaire
Developing and conducting a questionnaire to properly assess the company’s CRO compliance with data protection obligations in responding to Data Subject Rights Requests during clinical trials.
The questionnaire sought to clarify the parties’ responsibilities and the CRO’s procedures when responding to Data Subject Rights Requests
Memos
Provision of two memos. One detailing our findings and recommendations regarding the Contract Research Organisation (CRO) questionnaire. A second outlining the importance of conducting due diligence when working with third-party vendors and CROs; highlighting key examples and learnings from regulatory enforcement action taken for non-compliance with Data Subject Rights Requests.
Impact
The strategy deployed resulted in the following outcomes, which collectively help address the company’s accountability and overall responsibility for data protection compliance:
Regulatory obligations
The strategy emphasised the company’s role and responsibilities as the primary controller and sponsor of their clinical trials. Ensuring the adoption of a proactive approach in overseeing the entire clinical trial process and compliance with third parties.
Improved compliance
By developing the Contract Research Organisation (CRO) questionnaire, we enabled the company to more accurately assess its CRO data protection compliance. Proactively helping to reduce potential regulatory breaches.
Strengthened contractual clarity
The strategy prompted the company to conduct a more detailed contractual assessment to identify and address weaknesses. This in turn created a stronger legal foundation to clarify responsibilities and establish better processes regarding Data Subject Rights Requests.
Effective data subject rights management
Focusing on the Contract Research Organisation’s (CROs) Data Subject Rights Requests management process enabled the company to verify whether its CRO had effective Standard Operating Procedures in place. This focus on rights management ensures regulatory compliance and helps foster trust with clinical trial participants by safeguarding their personal data rights.
