Applying the GDPR to clinical trials conducted in Europe: deciphering the regulatory requirements

The application of European regulation on data protection (GDPR) is a major challenge for Biotechs wishing to conduct clinical trials in the EU and requires them to master the conduct of their projects to comply with the applicable legal framework.

‍Record levels for biotechs

The global biotech market is growing rapidly, driven by the interest generated by the pandemic, with a valuation of $793.87 billions in 2021 and projections of $1,415.45 billions by 2028^¹. Although the United States accounts for 59% of the global biotech market^², many American companies are now aiming to develop their operational activities in Europe, leading to remarkable market growth and interest from European pharmaceutical companies.

Highly regulated activities in Europe

In the EU, clinical trials are governed by legislative, regulatory, and administrative provisions relating to the application of good clinical practices at both European and local levels. They aim at a high level of patient protection, while setting rigorous quality and safety standards to obtain reliable and robust data and results.

Adopted in May 2018, the European Regulation on the Protection of Personal Data (GDPR) ensures the protection and privacy of individuals with regard to the processing of personal data and provides for the rules on the free movement of such data. Any sponsor or subcontractor involved in a clinical trial, whether a company, institute, or association, that handles personal data of EU member states residents must comply with the GDPR, even if the entity is not established in Europe. “Health data” is defined specifically as any personal data relating to the physical or mental health of a natural person, including the provision of healthcare services, which reveals identifiable information about that person’s health status.

The interaction between the European Union’s regulation on clinical trials and the General Data ProtectionRegulation (GDPR) requires a thorough impact assessment on the implementation and conduct of health-related research.

From fundamental principles to compliance obligations

The principles of the GDPR are based on transparency of personal information, lawfulness of data processing activities, the right of data subjects, data retention and the principle of accountability for the application of GDPR rules.

The GDPR compliance framework requires specific knowledge and skills. Adoption processes must be adapted to secure such sensitive personal data as health data from the moment it is collected.

The GDPR requires mapping processing activities, setting up processes and registers, informing individual, guaranteeing their rights and freedoms, and raising awareness internally of good practices on personal data protection.

Data controllers must therefore ensure the application of appropriate technical and organizational measures. The challenge is to be able to demonstrate compliance with data protection rules (accountability or demonstrability principle) and the exercise of patient’s rights, particularly in the event of data transfer outside the European Union.

The appointment of a Data Protection Officer (DPO) to ensure compliance is a requirement for a clinical trial sponsor. In addition, if the entity is not established in a member state of the European Community, a Data protection authority must be appointed in the non eu country where the data processing activity takes place.

Legality of data transfers outside the European Union

Since the invalidation of the Privacy Shield by the European Court of Justice (“Schrem II”), each organization must now verify the legality of personal data transfers outside the EU, and particularly transfers to the United States. Thus, each actor is required to determine the criticality for its organization and define an action plan according to a defined method in order to achieve compliance.

Non-compliance with the GDPR: what penalties?

In case of non-compliance, the consequences are numerous. The amount of the penalties can be up to 20 million euros or in case of a company up to 4% of the annual worldwide turnover. These penalties can me made public and put the company’s reputation at stake.

Biotechs outside the EU: getting better organized to establish themselves in Europe

The application of the GDPR to clinical trials conducted in Europe can be tedious for Biotechs located outside the European Union, and particularly for American Biotechs concerned by a highly constrained data transfer. A comparison between European and American rules on health data protection regulations reveals a European legislative apparatus with standards that are very different from those of HIPAA and the Cybersecurity Law. The protection of personal data is at the heart of the European regulatory framework. Information, access, deletion, limitation, and portability of data are linked to the principle of informed explicit consent, responsibility, and risk control. Outsourcing R&D activities in Europe for the early stages of processing development requires new strategies and support in order to avoid some of the risks inherent to these developments.

As Data Protection Officer (DPO), iliomad assists American Biotechs in their efforts to conduct clinical trials in Europe.Our compliance platform (https://www.iliomad.fr/platform) dedicated to American Biotechs provides concrete answers to transpose the GDPR into daily practice, and better understand the differences between national and regional legislative frameworks (https://www.iliomad.fr/platform-features/country-specific-guidance).