This article will focus on electronic data capture (EDC) software services. Nonetheless, CROs and sponsors have comprehensive regulatory work ahead in order to comply with the GDPR and need to contract expertise immediately if they do not have it in-house.
Collecting health information from subjects falls into the ‘special category’ of data defined in the GDPR. In clinical trials, the subject’s physical identities are pseudonymised using a unique identification code, but the data are still considered to be in this ‘special category’ of sensitive data with regard to the GDPR due to the fact that pseudonymised data allow for re-identification. This applies even when the code envelope is locked in a safe with only one person maintaining the key code.
When it comes to EDC systems, there are several security measures to take into account. Some may need deep remanufacturing of the software and some may be easier to implement, but this depends on the architecture of the software and how it is designed. Taking into consideration that developing software for clinical trials is a regulated environment, where qualification of the service is mandatory and time-consuming, implementing new features may take months or even a year to complete.