In 2016, the European Union approved the General Data Protection Regulation (GDPR) which replaces the 1997 Data Protection Directive. After 20 years, the European Union felt it was necessary to protect data and data ownership in the face of cyber security threats.
The GDPR will also affect pharmaceutical and medical device companies as well as CROs managing patient data. The big question is: how prepared is the drug and device development community for GDPR?
Set to come into full effect in 2018, the GDPR looks to harmonize data privacy laws across the European Union. The goal “is to protect EU citizens from privacy and data breaches, as well as reshape the way organizations across the region approach data privacy”.
One of the biggest changes is the increased territorial scope of GDPR. It will now apply to all companies processing the personal data of subjects in the EU, regardless of the company’s location. The new directive clarifies this point, “GDPR makes the applicability clear by noting the rules apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not.
The EU is now hitting back hard at non-compliance with increased penalties of up to 4 percent of a company’s global revenue.
The GDPR has also specifically focused on patient consent. Under the new directive, the request for consent must be given in an “intelligible and easily accessible form, with the purpose of data processing attached to that consent”.
So what does GDPR mean for clinical trials?
Sponsors and CROs will have to take into account the de-identification and anonymization of clinical data for data collected via eCRF (electronic case report forms). Patient sensitive data, or any data that could potentially identify a patient, should be redacted.
The transmission of non-CRF data is also of concern under the new directive. This includes data that comes from labs as well as imaging and other devices. In this case, sensitive data may be sent out for additional analysis and may require more than just simple redaction.
Are pharmaceutical companies, together with their partner CROs, prepared to maintain data integrity and quality as clinical trials become more complex and global?
As clinical trials increasingly collect data from multiple databases across the world with various eClinical solutions, how will EU companies comply?
As of November 2016, any Sponsor selling products in Europe will need to comply with new EMA guidance on the anonymization of clinical trial data. Within 60 days of a marketing authorization decision, the Clinical Study Report must be made available in a form that removes any risk of a subject’s identify being breached. Fulfilling transparency and disclosure requirements requires a process of data de-identification and then anonymization of patient data.
While some companies have tried offshoring to keep costs down, it has proved to be a “false economy” due to quality issues and work needing to be redone.
De-identification involves removing or recoding health information that could identify an individual such as patient identifiers, free text verbatim terms or references to dates. Subsequently, data anonymization involves destroying all links between the de-identified datasets and the original datasets.
Data Anonymization Process and Support
CROS NT offers support for data anonymization compliance starting with patient-level data with a comprehensive process and expert team of statisticians, programmers, medical writers and regulatory professionals.
- Up to Level 3 data privacy protection (risk of data linking)
- Pre-validated macros less prone to errors
- 40% faster turnaround time
- Controlled process
- Data format specifications required for EudraCT portal data upload
- Expert consultancy for data transparency strategy
- CDISC Gold Member for standard data formats and mapping