Clinical trials can be complex and layered machines that require multiple spheres of compliance to be accounted for. Our previous blog covered embedding privacy by design, consent, and strategies for mitigating data protection risks at the outset of a clinical trial. In this piece, we look at the main challenges data protection officers (DPOs) need to be mindful of to ensure ongoing compliance with data protection laws during the trial.
Challenges in transferring data
During clinical trials, the necessity to transfer data to different locations presents significant challenges, particularly when data is moved across borders that don’t share the same regulations. These trials often involve multinational collaboration, where patient data must be shared between investigators, Clinical Research Organizations (CROs), sponsors, and regulators in different countries. The GDPR sets strict rules for such transfers, especially when they involve transferring data outside the European Economic Area (EEA). Under the GDPR, personal data can only be transferred if the recipient country offers an adequate level of data protection, or if appropriate safeguards, such as standard contractual clauses (SCCs) are in place. The DPO plays a pivotal role in assessing and approving these transfers to ensure all legal requirements are met.
Moreover, clinical trial participants need to understand not only how their data will be used in the trial but also where and with whom it will be shared, especially if it is being transferred to a country with less stringent data protection protocols. The DPO is responsible for overseeing the transparency of these communications and ensuring that participants are fully informed about personal data transfer and any potential impact.
Managing the many layers of compliance
Throughout the lifecycle of a clinical trial, the many layers of compliance required by different aspects of the operational machine need to be carefully balanced with the quest to find a new solution to a health issue and ultimately better outcomes for patients. The DPO works closely alongside the wider compliance team to ensure personal data is governed with the same level of importance as that with which medical-legal compliance is handled. Specifically:
Ensuring best practice with safeguards
Using data encryption, access controls, and anonymisation/pseudonymisation to protect the sensitive information of participants. The DPO ensures that these safeguards are appropriately implemented and that regular data protection training is conducted so that staff understand how to use these tools effectively.
Verified compliance
Conducting internal and/or third-party audits helps to ensure safeguards are functioning properly. Continuous monitoring of data access and documenting all processes helps detect and resolve compliance gaps. The DPO is responsible for coordinating these audits and reporting any identified issues to senior management and regulatory bodies.
Impact assessments and keeping the regulator informed
Penetration testing, breach simulations, and Data Protection Impact Assessments (DPIAs) ensure that safeguards work as intended. The DPO leads the execution of DPIAs and ensures that Key Performance Indicators (KPIs) and regular reporting to regulatory bodies provide measurable proof of compliance.
Alongside the extended compliance team, the DPO’s involvement is indispensable in managing data protection challenges in clinical trials. By ensuring robust data transfer mechanisms and continuous compliance monitoring, HewardMills as an external DPO can help maintain the integrity and security of participant data throughout the clinical trial lifecycle. The success of clinical trials is often linked to participants trusting an organisation with their data, so strong data governance is imperative.