EDC systems should maintain a multifactor authentication service in order to comply with the GDPR. The ‘rule of thumb’ is that the user authentication relies on ‘one thing you know and one thing you have’. Normally, there is a combination of username, password and a token from either a mobile app or a dedicated device, but which EDC systems provide this feature today?
Given the fact that the regulation of strong authentication is similar in the present Data Protection Directive – however differently adapted in national laws – most, if not all, trials conducted in the EU are in breach of this regulation today.
For instance, in 2015, the Swedish Data Protection Authority reviewed four ongoing clinical studies; a key finding was the noncompliant use of single factor authentication, and the sponsors were issued an injunction.