Medial Research Network
UK TEL: +44 (0)1908 261 153 | US TEL: +1 (847) 779 7857 | ES TEL: +34 640 36 57 41

Blog Posts

GDPR - A Hot Topic for Clinical Trials?

GDPR is the hot topic on everyone in the EU’s to do list – but what are the implications for Clinical Trials? This is a complicated question and the answers will be very dependent on your specific business, but we’d like to give you something to consider in the run up to the 25th May 2018.

Don’t click off if you’re not based in the EU, GDPR will apply to Data Controllers and Data Processors in the EU, irrespective of where processing takes place as well as Controllers who are not in the EU but are providing services into the EU.

GDPR is a real step change in data privacy and has been implemented to give people far more control over their personal data and what companies and organizations do with it.

“The new legislation creates an onus on companies to understand the risks that they create for others, and to mitigate those risks. It’s about moving away from seeing the law as a box ticking exercise, and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organization.”1 Elizabeth Denham, UK Information Commissioner, ICO, at a lecture for the Institute of Chartered Accountants in England and Wales in London on 17th January

Under the forthcoming legislation, there are layers of fines that could be applied depending on the size of your business and the severity of your transgression but major transgressions could receive fines of up to €20 million or 4% of annual global turnover (whichever is higher)2 so this really is something to take seriously.

Due to the nature of MRN’s work, where we are processing special categories of personal data, the trial Sponsor is the Data Controller. They initiate the request for the collection of the personal data and are responsible for everything that happens with it. MRN in this instance is a Data Processor (or a sub-processor if we are contracted via a CRO); we process data on behalf of the Data Controller and we can only do what the Controller has contracted us to do with that data. But in other instances, such as with the personal data of our employees, MRN is the Data Controller, so it’s important to consider all types of personal data that your organization collects.

A lot of the work that our organizations do within clinical trials requires the collection, storage and segmentation of personal data for subjects participating in a study so the rules and regulations surrounding data security are key for us and should considered:

1. Ensure all staff can handle, store and transmit personal data securely; whether in electronic or paper form.

2. Ensure all staff understand their responsibilities under the national data guardian’s data security standards, including their obligations to process information responsibly and that they take personal accountability for deliberate or avoidable breeches.

3. All staff complete appropriate annual data security & privacy training and pass a mandatory test.

4. Personal, confidential data is only accessible to staff who need it for their current role and all access is removed as soon as it is no longer required.

5. Processes are reviewed at least annually to identify and improve areas which may have caused breaches or near misses, or which force staff to use work arounds which could compromise data security.

6. Cyber-attacks and potential threats against organizations and their IT infrastructure should be identified, monitored, resolved and ultimately resisted by implementation of appropriate software and applications. Action should be taken immediately following a data beach or a near miss, with a report made to senior management within 12 hours of detection. Reporting to the local data guardian should be done where required.

7. A continuity plan is in place to respond to threats to data security, including significant data breaches or near misses, and it is tested once a year as a minimum, with a report to senior management.

8. No unsupported operating systems, software or internet browsers are installed within your IT estate.

10. IT suppliers are held accountable via contracts for protecting the personal confidential data they process and meeting the national data guardian’s data security standards3.

The clinical trial sector is already heavily regulated and there may be instances where existing legislation such as ICH-GCP contradicts GDPR; this adds another layer of complexity, although in most cases, existing legislation will take precedent over GDPR.

There are a number of organizations who can help and we would recommend getting specialist advice for you and the personal data that you process.

At MRN, we are always working hard to continuously improve our processes and procedures and will be maintaining that up to and beyond May 25th, 2018. Please contact us if you need any additional support from MRN on your GDPR journey.




1 =

2 =

3 =



Posted by:
Toby Heath
Share this post!