The buzzwords and GDPR strategies are flying around as enforcement day of May 25 is approaching. Here are the concrete steps we have taken to nail compliance with the new regulations. And by the way - our flexible platform made the work rather easy.
1 | Encrypted data storage Why? GDPR is demanding “appropriate level of security” when it comes to transmitted, stored and processed data. Encryption of data is one example (not requirement) that legislators have identified as appropriate level of security and we have taken this advice seriously and encrypted all data at rest. | ||
2 | Two factor authentication Why? GDPR is demanding “appropriate level of security”. Sponsors and users can now decide themselves on the level of security necessary for user authentication in their study. | ||
3 | The right to be forgotten – in Viedoc Why? GDPR is stating the right to be forgotten, or deleted, from a register or database. The controller, or study sponsor in clinical trials, is responsible for this. We have made it possible for the user to do this in an easy and efficient manner. We have also empowered investigators to decide which study he or she wants to participate in, protecting their user data. | ||
4 | Updated documentation Why? GDPR enforces us to make it clear what responsibilities our clients have and where we step in and take responsibility of stored data, clarifying what data is exchanged, the purpose of doing so, how it is handled and what protective measures have been taken. This applies to both the business side – client agreement – and the user side - terms of conditions. |
Definitions – who is doing what in the world of GDPR?
What kind of data are we talking about?
GDPR is – when it comes to clinical trials – all about keeping control of contact and user data from sponsors, CROs and clinical staff. Study data is stored pseudonymised and the data is collected according to clinical study regulations like GCP making GDPR only applicable in certain areas.
Controller
Controller is the study sponsor – biotech company, academia or pharmaceutical company. The controller owns the data and is therefore responsible for the data, but the platform vendor is the controller of the user accounts. Sponsors can’t be controllers of the user account as investigators can work in Viedoc with several different studies for different sponsors and there should generally be only one controller of the specific data.
Processor
Processor is another term that you need to know about. It’s usually the CRO in the world of clinical studies. The CRO is processing the data for the study.
User
Doctors and clinical staff are in most cases the users. They fill in study data – and their personal data in the Viedoc platform.
"Viedoc makes building a study easy and fun. It doesn't require extensive coding knowledge; it's quick to get in and start working."