Watching the State of Clinical Trial Data Compliance

By Joe Stanganelli

June 11, 2024 | Until relatively recently, clinical-trial submissions in the EU had to be made separately to each applicable member-state’s authority. The process was inefficient and laborious, resulting in a lot of complaints from clinical-research organizations. 

On January 31, 2022, the EU Clinical Trials Regulation (“CTR”) came into effect. Perhaps the primary effect of this is that it introduced a platform called the Clinical Trials Information System (“CTIS”)—eliminating this inefficiency. 

“CTIS enables you to make an application for up to 30 countries,” Robert Masson, CEO of the DPO Centre, told an audience at April’s Bio-IT World Conference & Expo. “[It] massively accelerates the submission process.” 

This does not represent a wholesale centralization of the clinical-trial regulation in the EU, however. Masson took care to point out in his educational session on the state of European data-protection laws that EU member-state regulatory authorities still process clinical-trial applications on their own—and can even request supplementary information separately. 

Masson also noted that participation in CTIS is—or soon will be—mandatory. It became required to submit new clinical-trial applications through CTIS on January 31, 2023, after a one-year grace period. Active trials, on the other hand, have been granted a three-year grace period; life-science organizations will have to start recording them in CTIS by January 31, 2025. 

Arguably, this date doesn’t loom as large as, say, May 25, 2018—the effective date of the EU’s sweeping General Data Protection Regulation (GDPR)—once did. Masson said that most organizations not already in CTIS compliance have been in the process of transitioning to CTIS anyway. But for those that aren’t well on their way, Masson underscored that they have less than a year left to familiarize themselves with CTIS and get on board. 

Monitoring and Transparency 

This mandate to participate in CTIS is probably not entirely motivated by paternalistic altruism. 

“CTIS also enables centralized monitoring,” Masson told Bio-IT World in an onsite interview after his session. “You will be putting trial data as the trial progresses into CTIS so that regulatory monitoring can be happening as well.” 

It’s about more than providing a regulatory view, too. CTR is specifically designed to heighten public transparency, allowing for a public interface into clinical-trial data (while protecting clinical-trial subjects’ private data). Indeed, in October 2023, the European Medicines Agency (EMA) revised CTIS’s transparency rules to improve access to clinical-trial data for stakeholders and the public at large—including the removal of a deferral mechanism that would have made it easier for sponsors to conceal clinical-trial data for years. 

Transparency is also critically important in the clinical-trial context insofar as it is one of GDPR’s six fundamental principles. 

How CTR and GDPR Intersect 

According to Masson, the data-protection officers (DPOs) that GDPR mandates organizations have are taking on new significance in the context of clinical trials. 

“Once a [clinical] trial is complete, the DPO’s involvement is going to depend on whether the trial was a success or otherwise,” said Masson. “If it is a success and the sponsor is looking to sell the IP, the DPO is going to be involved… If they plan to bring [the therapeutic] to market, the DPO will be involved in the marketing of assets—especially if the assets include any of the trial participants’ [data].” 

To be clear, CTR does not itself directly mandate DPOs’ participation in the CTIS process. GDPR, however, mandates that DPOs ensure GDPR data-protection and data-privacy compliance regardless of context. For the most part, this means taking a holistic approach to the privacy of subjects, prioritizing general principles of data privacy and data protection. For Masson, this is effectively about obeying the spirit of the law if not the letter. 

“GDPR is a principle-based regulation,” said Masson. “If you are complying with the principles, you are essentially complying with the law.” 

But at the same time, clinical trials present a special case because of the heightened sensitivity of the kind of data they control and process. Thus, the data is subject to heightened GDPR-compliance requirements. 

“Trial data is considered ‘special category’ data [that] demands greater protections,” said Masson. “Controllers are under a strict obligation to protect and secure that data throughout its entire lifecycle.” 

Moreover, those data will necessarily include the informed-consent forms that clinical-trial participants are required to complete. These have some degree of added significance when considering GDPR’s requirements because data controllers are required to identify the lawful basis for processing a given set of data—and consent represents one of those lawful bases. 

At the same time, however, the informed consent to participate in a clinical trial is technically unrelated to the informed consent to allow data collection. 

Masson acknowledges that alternative recognized lawful bases for data processing under GDPR—such as public interest or the controller’s legitimate interest—might be more appropriate for a data controller to use than consent is. 

“It’s going to depend on the type of organization you are, the data you’re collecting, and the reasons why you’re collecting [them],” said Masson. “[There is] significant difference in opinion on what the most appropriate basis to use is.” 

Either way, to the extent transparency is a fundamental principle of both GDPR (as well as CTR), Masson pointed out that the law “requires you to be clear, open, and honest with trial participants from the start about how and why you wish to use their personal data.”