In early December, the EMA announced that it had been hit by a cyber-attack and that documents related to the Pfizer-BioNTech Covid-19 vaccines had been accessed. The agency issued a brief announcement after the attack to say a full investigation had been launched but provided no further details.
The incident is a reminder to both regulators and companies of the importance of data security and adherence to the General Data Protection Regulation (GDPR), especially for companies transferring data outside of the EU that must adapt their data security systems.
Over the past year, the focus has largely been on bringing vaccines and treatments to market to address the Covid-19 pandemic. However, as we start to adjust to a post-Covid world, companies – especially those transferring data out of the EU – will need to ensure they understand and adhere to GDPR requirements for clinical trials within the EU.
Questions companies will need to ask include: Do they have the proper change control and access control processes in place? Do they have the appropriate software to detect whether they have been hacked? And for those countries operating in the UK, will data protection requirements stay within the GDPR or will new UK rules be introduced, and what new measures must they put in place to remain in compliance?
With so many complexities to consider, it is incumbent on companies to select an experienced data protection officer (DPO) to ensure compliance with the GDPR, for example that a suitable GDPR statement is included in all informed consent protocols for clinical trial subjects, that it is adhered to when including information about clinical trial investigators, and that all data management plans are adhered to.
There are other complexities that companies must consider when it comes to the GDPR and data protection. Although it is an EU-wide regulation, it is implemented differently in each country within the EU. For example, Germany has regional supervisory authorities in addition to a federal authority, meaning a study in one part of the country may have a different way of interpreting parts of the GDPR than one elsewhere in Germany.
Therefore, the DPO that a company works with needs to be able to adapt the advice based on these differences, and that requires the support of an experienced team of lawyers and clinical research experts.
As data privacy becomes a growing priority globally – for example, with the introduction of new data protection laws in China, India and Australia – life sciences companies will need to ensure they have the processes and technologies in place to meet current and future requirements.
To help you stay abreast of regulatory changes our Regulatory On-Call service provides personalised responses to your ad hoc regulatory enquiries by way of a monthly retainer, get in touch for more information. Also look out for the other blogs in this series relating to Medical Devices, MHRA Guidance on Orphan Drugs and the Clinical Trial Regulation (CTR); work programmes that have not gone away but may have drifted from focus in the current environment.