Understanding Data Mapping and Data Flow

  • Data Mapping: This is the process of identifying, recording, organizing, and structuring the types of personal data collected by an entity. It's a form of introspection to understand the core processes of services or activities, crucial for clinical trials to manage patient and research data effectively.
  • Data Flow: Complements data mapping by visually representing how data is accessed and transferred between entities. It's essential for understanding the lifecycle of data within a clinical trial, including how it's collected, stored, processed, and shared.

Regulatory Guidance on Data Mapping and Flows

The GDPR does not explicitly require entities to undertake data mapping or to illustrate their data flows directly. However, it introduces several indirect mandates that effectively necessitate these actions to ensure compliance. For instance:

  • Article 30 of the GDPR mandates that organizations keep detailed and up-to-date records of their data processing activities. Data maps play a critical role here, enabling organizations to document the processing, storage, and transfer of personal data comprehensively. Such thorough data mapping aids in creating accurate Records of Processing Activities (ROPAs), which are instrumental in demonstrating compliance.
  • The principles of data minimization, accuracy, purpose limitation, and storage limitation highlighted by the GDPR can be effectively addressed through a detailed data mapping exercise. This process ensures that organizations adhere to these core principles by having a clear understanding of the data they handle.
  • For processes that pose a high risk to the rights and freedoms of data subjects, the GDPR mandates the execution of Data Protection Impact Assessments (DPIAs). A well-conducted data mapping exercise is foundational for DPIAs and Privacy Impact Assessments (PIAs), often incorporating data flow diagrams to illustrate the processing involved.
  • Implicitly, the effectiveness of these activities is contingent upon an organization's understanding of data trajectories and access permissions. Thus, data flow mapping becomes an indispensable counterpart to data mapping, providing a comprehensive view of data movement and access within an organization.

Challenges in Clinical Trials

Data mapping is relatively straightforward for organizations handling their internal data. However, for clinical trial sponsors who outsource many of their functions to external parties, the process becomes considerably more complex. The loss of direct control and a diminished understanding of data handling are significant challenges in these cases. This complexity often leads to a lack of clarity regarding who has access to what data and when. Misunderstandings can arise between sponsors and their vendors regarding the scope and nature of data being processed. For instance, there might be confusion about whether a biosimulation company is receiving unredacted data, leading to discrepancies in data handling expectations.

The data flow is complex, often non-linear, and involves multiple bilateral exchanges

Consider a typical scenario in a clinical trial: A US-based sponsor is expanding its trial sites to Austria, Germany, Switzerland, Spain, and the UK. To manage this expansion, the sponsor contracts with a Contract Research Organization (CRO) to centralize the study's database. Due to the study focusing on a specific oncology pathology, the sponsor also engages various specialized vendors for different roles, including data management & analysis, ECG, pharmacokinetics, EDC (Electronic Data Capture), central laboratory, CRO, and safety monitoring.

Each vendor receives data from the clinical sites or other vendors in various formats, which could be either decoded or coded. Some may handle biological samples, others may deal with imaging data, and some may process real-world data. The data flow is complex, often non-linear, and involves multiple bilateral exchanges. For example, a pharmacokinetics vendor might receive data from the CRO, which in turn has received data from the central laboratory. This multifaceted data exchange underscores the intricacies of managing data flow in outsourced clinical trial environments.

Key Considerations for Effective Data Mapping and Data Flow Analysis

In essence, although not directly mandated, data mapping serves as a cornerstone for meeting contractual obligations, conducting thorough DPIAs, and satisfying regulatory authority inquiries

To ensure a thorough data mapping and data flow analysis, several critical aspects need to be addressed:

  • Types of Data Being Processed: It's essential to identify the various kinds of data involved in the process and their respective categories. In clinical trials, this may include a wide range of personal data, from patient pseudonyms and investigator CVs to detailed health data such as biological samples, blood tests, gender information, and medical imagery. Understanding the full spectrum of data and which vendor handles each type is crucial.
  • Data Storage Formats: Determining the formats in which data is stored is another vital step. This could encompass a variety of formats, including hard copies, digital files, databases, and data stored on personal or mobile devices.
  • Data Collection and Transfer Methods: It's important to clarify how data is collected and transferred among parties. In clinical trials, data collection often occurs through Case Report Forms (CRFs) and is then shared with various stakeholders via different methods, such as Secure File Transfer Protocol (SFTP) channels.
  • Geographical and Regulatory Considerations: Identifying the locations involved in the data flow, including where data is stored (e.g., office locations, cloud services, third-party locations) and any specific regulatory requirements that dictate how and where data must be hosted, is essential. An example includes health data hosting obligations in certain jurisdictions, like the Health Data Hosting (HDS) certification in France.
  • Accountability for Data: Establishing who is responsible for the personal data at each stage of its lifecycle is critical. Accountability may shift as data moves through an organization, necessitating a clear data access policy to manage and monitor responsibility effectively.
  • Data Access: Determining who has access to the data is particularly challenging in environments where clinical activities are outsourced. Given the complex and often bilateral nature of data flows in such scenarios, it is imperative to map out data access comprehensively, ensuring that only authorized entities can access sensitive information.

Impact of Data Mapping on Compliance and Regulatory Interactions

Regulatory bodies such as the FDA or EMA sometimes request data mapping documentation during their review of submitted materials

While regulations like the GDPR do not explicitly require the creation of a data mapping document solely for its own sake, such documentation proves invaluable across various facets of compliance programs. Here’s how:

  • During Contractual Agreements: Effective data mapping, as detailed previously, is instrumental in accurately completing the Standard Contractual Clauses (SCCs), especially for data transfers outside the EU. It enables both data controllers and processors to specify the types of data being transferred and the purposes of such processing with precision.
  • For Data Protection Impact Assessments (DPIAs): DPIAs, which are crucial for assessing the impact of data processing activities on data protection in clinical or safety operations, benefit significantly from incorporating data flow analyses. This inclusion, often found in DPIA templates (like those from CNIL), brings clarity to the process, particularly for teams that contribute remotely to risk analysis efforts.
  • Interaction with Regulatory Authorities: Interestingly, regulatory bodies such as the FDA or EMA sometimes request data mapping documentation during their review of submitted materials. This requirement helps these authorities gain a comprehensive view of a clinical trial’s setup, facilitating a better understanding of the trial’s data management practices.

In essence, although not directly mandated, data mapping serves as a cornerstone for meeting contractual obligations, conducting thorough DPIAs, and satisfying regulatory authority inquiries, thereby underscoring its significance in the broader context of data protection and compliance.


Optimal Approach for Data Mapping and Flow Analysis

Creating a comprehensive data mapping and flow document is a detailed and time-consuming task that necessitates a collaborative effort

Creating a comprehensive data mapping and flow document is a detailed and time-consuming task that necessitates a collaborative effort from various teams within an organization, including Quality Assurance, Regulatory Affairs, Operations, Data Management, and Compliance. The recommended strategy involves starting with the identification of investigational sites and tracing the process back to the Contract Research Organization (CRO), ensuring that the previously mentioned six critical questions regarding each instance of data transfer and access are thoroughly addressed. It's crucial to avoid settling for vague or imprecise responses, as inaccuracies can have a domino effect on different aspects of your compliance framework. Utilizing the information gathered from these inquiries, the compliance officer can begin to compile the Record of Processing Activities, construct the data flow diagrams, and, if necessary, initiate the Data Protection Impact Assessment (DPIA) process.

Recommended Tools and Practices for Effective Data Management

Through practical experience, we have pinpointed several tools and methodologies beneficial for this type of work:

  • For Data Flow Visualization: Figma serves as an excellent tool for creating visual representations of data flows.
  • For Data Mapping: The CNIL’s Excel template is a valuable resource for compiling Records of Processing Activities (RoPAs).
  • For Stakeholder Engagement: It's advisable to record meetings conducted via platforms like Teams or Zoom, especially since discussions on these topics tend to be complex and detailed.
  • Regular Review and Update: Implementing a routine, such as a quarterly review, ensures that your data management practices remain current and accurately reflect any changes in personnel, vendors, or sites.
  • Acknowledging Dynamics: Given the ever-evolving nature of projects, with frequent changes in employees, vendors, and operational sites, maintaining an up-to-date representation of these changes is crucial for accurate data management and compliance.

Seamus Larroque

CDPO / CPIM / ISO 27005 Certified

Home

Discover our latest articles

View All Blog Posts
October 14, 2024
Clinical Trials
Guideline

Analyzing the Similarities and Differences Between ICH-GCP and GDPR in Clinical Trials

ICH-GCP and GDPR are vital for clinical trials, setting standards for participant protection and data integrity, with distinct focuses and enforcement approaches.

September 9, 2024
Biotech & Healthtech
Data Breach
Health Data Strategy

Comprehensive Cyber Insurance for the Life Sciences Industry

Cyber insurance provides coverage to businesses, including those in the life sciences industry, to protect against losses from cyberattacks, such as data breaches, ransomware, and other threats. For life sciences companies, which handle high-value intellectual property and sensitive data, tailored cyber insurance policies offer essential protection against financial, legal, and reputational damage while complementing existing cybersecurity measures.

August 7, 2024
Data Breach

UK data watchdog to fine NHS vendor Advanced for security failures prior to LockBit ransomware attack

The UK data watchdog is set to fine NHS vendor Advanced for security failures that occurred before the LockBit ransomware attack. These security lapses contributed to the vulnerability exploited during the attack.