Navigating GDPR Guidelines in Decentralized Trials

Decentralized clinical trials (DCTs) look set to become a positive outcome of the COVID-19 pandemic due to their benefits for patient recruitment and retention, but the increasing focus on data privacy when conducting DCTs creates a challenge for sponsors. The EU's General Data Protection Regulation (GDPR) protecting the data of EU residents is one of the strictest data privacy rules in existence. Contravening it can cost up to €20 million in fines and may result in trial data being unusable for marketing authorizations. The best way for sponsors to optimize their use of technology in DCTs while complying with GDPR guidelines is to take steps early during the planning process to mitigate compliance risks.

How technology can fail a DCT

Sponsors generally understand that GDPR requirements play a role when setting up a DCT system.  Because sponsors are responsible to ensure the DCT technologies deployed meet regulatory and privacy requirements, they must also take notice of all authorities that regulate patient data privacy – not just health agencies. For example, DCT technologies must meet the International Council for Harmonization-Good Clinical Practice (ICH-GCP, or GCP) requirements. Technology could violate GCP if the sponsor hosts, operates, or has access to DCT technology that exposes directly identifiable participant information, or if the DCT technology stores or produces source documentation that is not generated at the investigational site.

DCT technologies that only capture key-coded trial data do not present the same risk to participants’ confidentiality. However, without access to the directly identifiable participant information, the DCT services that can be performed are limited. For example, home health nursing or delivering medication directly to the patient without a site visit are not possible with such a setup. Therefore, the benefits of DCT technology for participants, such as reducing the burden of time and resources needed to participate in a trial, are limited. This can be especially critical for participants who live in remote locations or are otherwise not as mobile. Removing participation burdens can significantly reduce dropout rates, which can mitigate expenses for all trials and is especially crucial for sponsors working in rare disease.

Mitigating the risks of DCT non-compliance

Overcoming these challenges is therefore vital for sponsors to conduct effective decentralized trials. Because of the emergence of many new and inexperienced DCT vendors, selecting the right vendor can pose a challenge to sponsors. However, there are ways to mitigate these risks.

• Protect privacy through outsourcing. DCT data needs to be managed in very specific ways. For example, sponsors must prevent themselves from accessing the complete data set while maintaining data controllership. Doing this in-house is complex and expensive. The solution to this risk is to outsource the technology component of the DCT to an experienced, highly qualified vendor who can support GDPR obligations as a processor, allowing the sponsor to retain control over the clinical trial data set as well as the responsibility for maintaining patient confidentiality and privacy.

• Ensure participant trust. If DCT participants don’t trust the technology presented, they will typically refuse to use it at all, or they will not use it correctly. For example, with E-Diaries, the participants submit data electronically using their devices. They may not enter the information necessary for a successful trial if they are not convinced their data is in good hands. Clear and transparent communication about the data processing and the technologies used is key.

• Ensure data integrity. The credibility of every DCT depends on data integrity. When a sponsor appoints a technology vendor to manage trial data, it’s critical to ensure the programs and systems used are secure and have good risk mitigation measures against breaking data integrity, availability, and confidentiality in place. Otherwise, the data handling will not comply with GCP and GDPR requirements.

• Insist on extensive experience. When choosing a vendor, it’s vital for sponsors to select one with prior experience. Determine whether a potential provider knows how to manage IRB and Ethics committee approvals. Establish how many countries the vendor has deployed in. Request details of prior audits and inspections, and how many investigational products they have successfully had approved. It’s not just about GDPR—almost every European country has its own additional regulatory requirements, and regulators need reassurance that the technology vendor is familiar with all the relevant ones.

• Look for long-term support. Audits and inspections can occur without warning, and when they do, sponsors are hard-pressed to deliver against the flood of requests for information. Before appointing a technology partner, DCT sponsors must determine whether it offers a robust system backed by comprehensive training and round-the-clock support to meet auditing compliance guidelines. Whether these requests occur within months or years of the trial, sponsors must be able to rely on their technology vendor for support during an inquiry.

• Consider the costs of cheap services. Sponsors seeking a DCT technology vendor must carefully evaluate the cost of various service components. For example, managed services and full-service providers offer alternatives to homegrown and SaaS solutions that sponsors might consider lower risk and lower investment. However, a mature vendor with a higher price point may provide a complete package aligned with GDPR and update it regularly.

Making or breaking a DCT

Getting the right DCT technology that complies with GDPR guidelines and helps sponsors achieve successful trials requires a mature technology vendor with suitable policies in place. For sponsors, the right vendor can make or break a trial by ensuring that local regulations are adhered to, inquiries from sites and auditors are managed, and personnel and infrastructure are appropriate for this complex, highly regulated environment.

About the authors:

Jill Baehring is a privacy expert with more than 6 years of experience in data privacy. In her current role at IQVIA, Jill is working on privacy compliance for Decentralized Clinical Trials globally. With her team, she has worked to obtain the industry’s first GDPR Validation for IQVIA’s DCT Program. Before joining IQVIA, Jill was responsible for privacy compliance for the commercial organization of a pharmaceutical company in Germany, where she helped establish privacy processes across Europe. Previously, she worked for a business consultancy specialized in GDPR compliance, where she worked as external Data Protection Officer (DPO) and co-authored a Data Protection Impact Assessment (DPIA) for the Dutch government on Microsoft Office products.

Karen Maduschke is recognized as a global expert in electronic informed consent for the healthcare industry. With more than 20 years of experience, Karen has been involved with eConsent from its earliest inception. During the pandemic, she led the rapid deployment of IQVIA Complete Consent to enable critical DCT capabilities for dozens of COVID-19 trials as well as to ensure continuity for ongoing studies that needed to shift to a decentralized model. She is an advocate for patient-centricity in clinical trials and improved transparency in the informed consent process.