Blog Post

Data Privacy Challenges for Compliance in European Clinical Trials

  • LinkedIn icon
  • X/Twitter icon
  • Print icon

Clinical trials are a billion-euro industry for the European Union. However, that landscape is in flux, as life sciences organisations grapple with data handling and documentation requirements under privacy regulations and newer acts like the EU Clinical Trials Regulation. As a recent IQVIA report described, enrollment periods for European clinical trials have extended in duration by nearly 26% and western Europe’s proportion of global clinical trials declined by 21% overall. In the EU, concerns have been raised by the increasing shift of clinical trials to the U.S. and China, where the regulatory and operational requirements are seen as either clearer or less stringent.

While one of the goals of the EU Clinical Trials Regulation was to streamline and clarify the application process — a regulatory attempt to support growth within the EU’s pharmaceutical industry — in practice, fragmented interpretation by member states has created compliance challenges. In some ways, this has replicated the type of fragmentation experienced with GDPR. Indeed, both regulations contribute to operational complexity, often with overlapping considerations.

Retention periods are an example of these overlapping requirements and fragmentation. Data retention periods are a core element of the GDPR’s data minimisation principle. The Clinical Trials Regulation requires retention of the trial master file for at least 25 years after the conclusion of the trial. However, specific retention periods can vary depending upon the member country where the trial is taking place. For organisations conducting trials in numerous countries, this creates practical difficulties in how they handle data. 

The landscape of clinical trials and its intersection with data protection compliance in the EU was discussed at length during a panel FTI Technology hosted with Marta Siemaszko of Novartis and Wolf Boehm of Latham & Watkins at the recent IAPP Brussels Data Protection Congress. The expert panel covered how organisations can balance privacy protections for individuals while driving medical advancement in the clinical trials space. 

Key takeaways from that discussion include:

  • Fragmentation around the lawful basis for processing presents a core privacy challenge, however there is the possibility that mechanisms such as codes of conduct may help bring harmonisation.
  • There is also confusion and fragmentation around controller and processor designations and obligations, which may not reflect the reality of the roles being performed. This lack of clarity could also potentially be resolved with a unified EU code of conduct.
  • Breaches remain a significant concern for enforcement given the sensitivity of the data, and proactive data management and protection will remain a key means to minimise risk.
  • Good clinical practice standards and privacy compliance are complementary initiatives in holistic compliance programs.

The panel was inspired by FTI Technology’s work supporting life sciences organisations in addressing privacy challenges. FTI Technology’s experts in this area have supported clients with implementing best practices including:

  • Configuring privacy enhancing technologies with custom surveys and workflows that help organisations complete their documentation requirements. Some regulators require data protection impact assessments as part of an application, and many organisations struggle with collecting information from the appropriate stakeholders. Custom workflows can help collect the information while minimising friction with the business.
  • Comprehensive vendor due diligence processes, as vendors are sometimes onboarded for a trial extemporarily. Disjointed onboarding makes the completion of privacy documentation even more burdensome. And as artificial intelligence tools become part of the solution stack for many providers, having a cohesive onboarding process that provides a clear picture of privacy risks will be increasingly important.
  • Establishing specialised capabilities and multi-disciplinary expert teams for data breaches, including responses to breaches and breach risk mitigation programs focused on data minimisation and storage. With increasingly long retention periods for trial records, organisations need cohesive data strategies to ensure data is appropriately accessible and useful, while unnecessary data is archived or destroyed and appropriate security measures are applied long-term. 
  • Designating or outsourcing a data protection officer, especially for organisations that rely on their contract research organisations for privacy guidance, which may not provide enough support or specialised advice. This will help to ensure privacy notices are accurately covered in informed consent forms and provide support for understanding controller and processor roles.

The clinical trial ecosystem is complicated, and regulatory goals of bringing harmonisation haven’t been fully realised. Understanding the overlap between privacy and other compliance regulations is critical to addressing these issues in a holistic way. Proactive steps in policy, process and technology can help organisations participate in the EU market, where they can benefit from reliable results produced by expert professionals.

Related topics:
Data Privacy

The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.

Related Solutions