Navigating Compliance: The Essential Role of Data Protection Representatives in EU and UK Clinical Trials
In this article
From a data protection viewpoint, clinical trials encompass a range of tasks that can be daunting for clinical sponsors. The sheer volume of compliance activities required for clinical operations is staggering, including ICF reviews, vendor assessments, protocol reviews and CTIS statements, Data Protection Impact Assessments, Records of Processing, and more. Amidst this whirlwind of obligations, one requirement often emerges as an unexpected challenge for clinical sponsors without a presence in the EU or UK: appointing a data protection representative.
The Data Representative - A Question of Sovereignty for the EU and the UK
The role of the data representative bears a strong resemblance to another form of representation mandated by the Clinical Trial Regulation No 536/2014, specifically Article 74. This regulation requires sponsors not based in the EU to appoint a representative within the EU. Similarly, the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) stipulates that clinical sponsors without an establishment in any of the EU countries where data processing occurs (in a clinical trial, this would be data collection at the sites) must appoint an entity to communicate with data subjects and data protection authorities. The basis for these requirements stems historically from the European Union's, via the EU Commission, desire to exert control over foreign companies offering goods or services within EU territory. This control is exercised by appointing a local intermediary in the EU who can easily communicate with clients in case of inquiries. This representative serves a similar purpose to what some countries have historically achieved through the extraterritorial application of their laws (for example, the US's approach to transactions made in US dollars, asserting that any transaction in US dollars could be subject to US law enforcement and the Department of Justice's jurisdiction).
From an Overlooked Requirement to a Revival
In the initial phase of GDPR implementation, the role of the representative wasn't particularly emphasized by companies or privacy professionals, as there was still a period of adjustment and understanding needed regarding GDPR's requirements. Additionally, the focus of privacy professionals was predominantly on meeting the demands of their EU-based clients, rather than addressing the needs of their international counterparts. However, the significance of this role has emerged more prominently due to two main factors: increased attention from data protection authorities recognizing the importance of having such a mediator in interactions with foreign entities and the issuance of the first fines, such as the one against Clearview AI in 2023. A subtler yet impactful reason for this role's resurgence is its incorporation into other regulations aiming to enhance compliance. Examples of such regulations that now include a representative function are:
- NIS2
- Digital Services Act
- Terrorist Content Online Regulation
- The Data Governance Act
A focal point during discussions about the Informed Consent Form
Throughout our years of supporting clients with EU and UK clinical trials, the issue of the data protection representative consistently emerged. This topic often becomes a focal point during discussions about the Informed Consent Form, where ethical committees, particularly in countries like France, show heightened awareness. It similarly gains attention during specific EMA audits and controls. Intriguingly, the requirement for a data representative has even spread to countries near the EU, with Serbia being a notable example. The Serbian Data Protection Authority, known as Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti, has recently reminded sponsors of their obligation to appoint a representative.
EU GDPR, UK GDPR, and What Lies Ahead?
The requirement for a data representative, as we've seen, originates from EU legal mandates. Following Brexit in February 2020, the UK chose to incorporate GDPR into its legal framework via the Data Protection Act of 2018, maintaining the obligation to appoint a representative for clinical sponsors conducting trials in the UK without a local establishment. This added a layer of complexity for sponsors managing multicentric trials across both the EU and UK. Notably, the ongoing review of the Data Protection and Digital Information Bill, with the latest draft from the House of Lords proposing the removal of this representative requirement, suggests potential changes on the horizon for clinical trial sponsors operating in these regions.
The Distinction Between a Data Representative and a Data Protection Officer: Unveiling the Reality
A significant confusion arises from the vague language used by legislators in drafting both the EU GDPR and UK GDPR regulations. Specifically, Article 27 and Recital 80 broadly define the role of the data representative, stating that the representative should be mandated by the controller or processor to be addressed, in addition to or instead of the controller or processor, by supervisory authorities and data subjects on all matters related to processing, to ensure compliance with the regulation.
A significant overlap between the responsibilities of a Data Protection Officer (DPO) and a Data Protection Representative (DPR)
This broad description has led to the misconception that there is a significant overlap between the responsibilities of a Data Protection Officer (DPO) and a Data Protection Representative (DPR). However, the reality is that while the DPO is fundamentally involved in establishing and maintaining compliance through their activities, the representative's role is more about fulfilling a specific compliance requirement with minimal actions (such as handling requests from patients or authorities), which are typically managed by the DPO for a clinical sponsor.
Key Considerations for Clinical Sponsors Before Appointing a Data Protection Representative
From the perspective of clinical trials, data protection authorities and guidelines now confirm that the criteria set by Article 27 of the GDPR apply to clinical sponsors without an establishment in the EU or UK. Conversely, establishing an office or affiliate within the EU or UK exempts sponsors from this obligation. For example, a US sponsor with an office in Spain conducting a multicentric study in Spain, Germany, and Italy does not need to appoint a data protection representative. Sponsors in this category should expect to enter into a specific agreement covering the representative's obligations as required by Article 27. Our experience indicates the importance for clinical sponsors to understand the representative's role, to clearly define the separation of duties and actual tasks performed.
Resources
- https://gdpr-text.com/read/article-27/
- https://iapp.org/news/a/the-hidden-obligation-rides-again-eu-representatives-under-gdpr-dsa-nis2-and-others/
- https://iapp.org/news/a/how-do-the-dpo-and-eu-representative-interplay/
- https://health.ec.europa.eu/document/download/c3042973-b36d-4094-a1fb-a6fc980f065e_en
- https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en_0.pdf
- https://www.edpb.europa.eu/sites/default/files/webform/public_consultation_reply/feedback_for_edpb_recommendation_01-2020_-_datarep_031220.pdf
- https://researchbriefings.files.parliament.uk/documents/LLN-2023-0050/LLN-2023-0050.pdfOU
Sign up for our newsletter
We like to keep our readers up to date on complex regulatory issues, the latest industry trends and updated guidelines to help you to solve a problem or make an informed decision.
Analyzing the Similarities and Differences Between ICH-GCP and GDPR in Clinical Trials
ICH-GCP and GDPR are vital for clinical trials, setting standards for participant protection and data integrity, with distinct focuses and enforcement approaches.
Comprehensive Cyber Insurance for the Life Sciences Industry
Cyber insurance provides coverage to businesses, including those in the life sciences industry, to protect against losses from cyberattacks, such as data breaches, ransomware, and other threats. For life sciences companies, which handle high-value intellectual property and sensitive data, tailored cyber insurance policies offer essential protection against financial, legal, and reputational damage while complementing existing cybersecurity measures.
UK data watchdog to fine NHS vendor Advanced for security failures prior to LockBit ransomware attack
The UK data watchdog is set to fine NHS vendor Advanced for security failures that occurred before the LockBit ransomware attack. These security lapses contributed to the vulnerability exploited during the attack.