This is a pertinent question, given that we are days away from the requirement for implementation of GDPR. To put GDPR in perspective, the regulation effectively looks to strengthen the Data Protection Drive (DPD) which has been in existence since the ‘90s. The regulation looks to enforce, more stringently, broad principles that have long existed and should in essence already form the fundamentals of processes dealing with personal data for any organization in the clinical trial industry.
However, there is a need to augment these processes, through clear definition of responsibilities for both controllers and processors of data, and clearly worded contractual arrangements for compliance as well as requirements for timely communication and reporting around breaches.
Although CROs such as ours are typically processors, the onus is great to demonstrate the same accountability as a controller; any breaches on our part would make us liable to be penalized as controllers, not merely processors.
This is why, we at PPCE have been working over the last year, internally as well as with our European clients and partners, towards the creation of structures such as legally reviewed contracts, formalized communication channels and timelines for unintentional disclosure and aligning Standard Operating Procedures for data privacy that will give confidence in our privacy-by-design approach to the processing of clinical trial data when the regulation becomes enforceable on 25th May, 2018.
This is an excerpt from the Executive Director's interview with the organizers of the GCT Meet held in Barcelona in 2018.