The pandemic proved the many benefits of decentralized clinical trials (DCTs). These virtual research models helped accelerate trials while reducing the time, cost, and burden of participation. However, for all the benefits, sponsors will need to consider how to handle patient data in DCTs.It is critical to be aware of global data protection requirements and adapt their trial plans accordingly or risk making seemingly insignificant decisions that have significant impact once implemented. This includes the impacts to individuals’ privacy rights, on authorization to conduct the research, and the potential for significant fines and penalties.

GDPR and DCTs
U.S. regulators embraced DCTs and the proper flow of patient data to support trial goals. In Europe and Asia Pacific countries, regulators are more and more accepting of DCT models and technology solutions but also concerned with how patient data is captured, shared, monitored, and stored during that trial.

The most well-known government program to regulate data privacy is the European Union’s (EU) General Data Protection Regulation (GDPR). Most sponsors are broadly aware that Good Clinical Practice (GCP) and GDPR require participants to provide consent prior to a sponsor reviewing and using a participant’s data in clinical trials. But sponsors may not realize that the regulation also requires careful consideration of  what personal data study teams collect, how that personal data is processed, and what records need to be maintained to demonstrate compliance with the regulation.

There also may be the assumption that healthagencies are the only regulators whose thoughts on data collection matter. When it comes to GDPR and data privacy, sponsors also need to be aware of the European Data Protection Board (EDPB) and their guidance on relevant data protection regulations. Each country also has its own national data protection authority (DPA) that supervises the application of GDPR and other privacy or data protection requirements in that country.

Sponsors need to incorporate the requirements and guidance from these DPAs into trial plans or risk steep fines. GDPR is among the strictest data privacy rules globally and can impose penalties up to four percent of global annual revenue from the preceding year.
 
Proving compliance: technology is not enough
Many life sciences technology vendors are building or adapting their platforms to adhere to GDPR regulations. However, using those solutions doesn’t guarantee compliance, and sponsors cannot simply refer to the technology as proof that they are following all of the rules of GDPR to regulators.

When running a DCT, sponsors will be asked by supervisory authorities, regulatory bodies, and often ethics committees whether the technology they are using is compliant with GDPR and applicable local laws. It is the sponsor’s obligation to ensure that the technology they use in clinical trials meets all applicable regulations.

To do that, sponsors need to conduct thorough due diligence into a system’s development, as well as its how it processes, validates and stores data, to ensure that GDPR principles are fully incorporated. And they will need to demonstrate compliance in their data collection activities and provide that certain records of that compliance upon request.

It is equally important to map out the operational model by which a sponsor plans to deploy technology products into the DCT. This should include a detailed explanation of all relevant training, firewalls, and quality management strategies that will be used to ensure separation of staff acting on behalf of the site and patients, versus the study team tasked with ensuring the quality of the data collected. Additionally, the model should detail plans for working with regulators and inspectors to address any data privacy concerns.

Tips for achieving compliance
For sponsors planning to use DCTs in the EU, GDPR can feel like a daunting obstacle to maneuver. Finding a partner who can help guide their way, can help mitigate these concerns and give them the confidence to leverage decentralized trial models in the future.

When conducting a clinical trial in Europe, our team at IQVIA has found it helpful if sponsors document and create summaries addressing the governing principles of GDPR and how they impact their data management methods.

Relevance of data collected
One of the governing principles of GDPR that is emphasized is that of “Minimal data collection.” Regulators and supervisory authorities want to see a direct relationship between the personal information collected and how that data is necessary for conducting the clinical trial. To prevent GDPR violations, sponsors will want to rigorously vet every piece of data collected through the compliance lens.

The European Medicines Agency (EMA) provided guidance recommending approval of remote source data verification by member states during the pandemic for trials involving COVID-19 treatment and studies of terminal illnesses for which there was not an accepted treatment, nearing database lock. However, the data allowed for remote review was limited to only “the most critical information,” and remotely reviewed data will likely need to be re-monitored when the pandemic recedes sufficiently to safely allow on-site monitoring to resume. Sponsors who plan to use remote monitoring need to be aware of these limitations.

Where data is stored
One of the most common misperceptions about GDPR is that sponsors cannot store patient data outside the originating country. An objective of GDPR is to facilitate the free flow of data in the EU, while protecting individuals’ rights to privacy. While some countries limit transferring personal data of its residents outside of that country, most countries in the EU will allow transfer of personal data freely within the EU member states provided some conditions are met. Transfer of personal data of EU residents outside of the EU has its own set of conditions and requirements. It is important to consult a qualified data privacy professional when designing the data flow of your study, to ensure these requirements are met.

These are just some of the many issues that can impact GDPR compliance and a sponsor’s data collection strategy. Working with a DCT partner who understands the intricacies of the data privacy and has experience conducting DCTs across geographies can reduce the risk of accidental non-compliance and give sponsors the confidence that they have a proven strategy for adhering to all regulations.