GDPR compliance is first and foremost a matter of being compliant with the GDPR itself, but also a matter of being able to demonstrate this compliance. This is called accountability.
GDPR codes of conduct are explicitly covered as ways to demonstrate GDPR compliance. Essentially, codes of conduct are ‘promoted’ by the GDPR as ways to not just demonstrate GDPR compliance, but also as a token to any stakeholder that your organization is aware of what it needs to do in order to conduct lawful processing of personal data.
It creates a way to demonstrate compliance for both controllers and processors, and also generates trust among various stakeholders that risks have been identified and addressed.
Those processors who don’t adhere to the specified codes of conduct might simply be less considered as potential business partners, plain and simple. Adhering to a code of conduct is also about brand values and a promise towards partners and customers.
On March 17, 2021 the European CRO Federation (EUCROF) filed a draft Code of Conduct for Service Providers in Clinical Research for approval to the French Privacy Authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), to stimulate a harmonized and trustworthy way of demonstrating GDPR compliance for Contact Research Organizations (CRO’s) providing outsourced pharma research services.
The EUCROF says that “Clinical research is a field with highly specific features, where a number of dedicated Regulations apply, and the vast majority (over 90%) of Service Providers for Clinical Research, also known as “CROs” – Contract Research Organizations” are micro, small and medium-sized enterprises”.
The EUCROF Code addresses the “need for continuous improvement of quality, security and confidentiality management, to foster transparency and create trust, in a technology driven domain with many new players and growing involvement of patients”.
“The EUCROF Code has been designed as a practical tool to enable all CRO organizations to comply with GDPR in a harmonized and acknowledged way across all EU Member states”, says Yoanni Th. Matsakis, chairman of the EUCROF Code Task Force, member of the Board & treasurer.
“This initiative has been a formidable opportunity to engage high quality and fruitful collaborations with many stakeholders of clinical research including patient associations, pharmaceutical laboratories and academic networks. The submission for approval is a major milestone and the beginning of a new phase that will result in the establishment of an independent governance body that will ensure the monitoring of the Code and will be accredited by CNIL” says Dr. Stefano Marini, vice-President of EUCROF.
The EUCROF Code was drafted by a dedicated international task force, including the pharmaceutical industry, patient associations, medical devices companies, and others.
A GDPR research code will help the sector to maximize the opportunities of GDPR and more effectively apply the legislation in collecting and processing research data of participants. Controllers and processors, who adhere to a code, will be able to use it to:
- Follow sector-specific tailored guidance on GDPR compliance requirements
- Address and identify their risky processing activities and understand the suitable mitigation measures
- Help them with cross-border data transfers outside the EU as the code can serve as an approved legal mechanism (together with binding legal commitments)
- Mitigate against enforcement action by a data protection authority, such as when they assess the amount of an administrative fine
- Signal to data subjects and regulators that their business is GDPR compliant
- Develop a competitive advantage over other suppliers with a quality mark for data controllers choosing suppliers.
A harmonized approach will be particularly valuable for international research. The current hot topics engaging the minds of data protection officers and privacy champions working in the research sector could be addressed in a code. For example, what should be in privacy notice for participants, and what layering is appropriate? How do you determine if the research organization is a controller or processor? What are the appropriate roles and responsibilities of parties in the research supply chain and how do you pseudonymize research datasets? How do you adequately secure medical data of participants?
In total, 237 requirements have been specified and listed in this code of conduct. However, the EUCROF also states that “Clearly, a small CRO delivering one single service with limited impact in terms of Data Protection and no dedicated online IT Platform, does not need to comply with all 237 requirements. Compliance to this Code depends on the CRO’s profile defined by the Classes of Services the CRO sells to its Clients”.
Although this code of conduct looks very promising, it will take quite some time before it is formally approved. CNIL will need to consult other Local and European GDPR Authorities. In the meantime, GDPR compliance in the pharma industry will remain a complex matter with different legislation and different stakeholders. Especially when you are working on a multilateral basis involving several European Countries. A case by case approach is required, based upon common best practices, following recommendations of parties like ethics committees and national medicines regulatory authorities. The draft Code of Conduct will also play a role in shaping expectations around GDPR compliance in clinical research, even before it is officially approved.
Vivenics has a proven track record working with GDPR compliancy for pharma customers.
Please feel free to contact us to discuss the requirements and possibilities. You can reach us on +31 (0)88 8483 100 or firstname.lastname@example.org. Your first consultation is free of charge.