ICSR transfer outside of EU: how to comply with the GDPR with SafetyDrugs

The ICSR transfer outside of EU entails risks in terms of compatibility between pharmacovigilance agreements and GDPR. Here’s how you can be compliant with SafetyDrugs.

In a constantly evolving world, the protection of personal data has become a key priority. For pharmaceutical companies, pharmacovigilance activities involve the management of sensitive patient data, making compliance with the General Data Protection Regulation (GDPR) essential. In this article, we will explore the European Medicines Agency’s (EMA) warnings to QPPVs about the risk of non-compliance with the GDPR and how SafetyDrugs offers a solution to ensure compliance.

The GDPR, an acronym for General Data Protection Regulation, is a European legislation that came into force on 25 May 2018. Its mission is to harmonize and strengthen personal data privacy laws in all member countries of the European Union (EU).

Among the main changes introduced, we remember:

• the need for explicit consent for the collection and processing of personal data;
• the right to erasure, known as the “right to be forgotten”;
• the introduction of rigorous data security measures to protect personal data from the risks of loss, theft or unauthorized access;
• timely notification of data breaches within 72 hours of their discovery;
• the introduction of the DPIA (Data Protection Impact Assessment) for the conduct of data protection impact assessments in order to identify and mitigate the privacy risks associated with data processing activities.

The GDPR imposes rigorous requirements on the processing of personal data, which include, to a greater extent, the data present in pharmacovigilance reports as sensitive data. In this regard, the EMA (European Medicines Agency) intervened and, with a letter addressed to the QPPVs and related clarification letter, made it clear to all MAHs (Marketing Authorisation Holder) that for the distribution of ICSRs to partners and various stakeholders outside the EU, it is necessary to comply with the standards dictated by the GDPR.

In particular, EMA has reported that some companies holding marketing authorizations have transferred the case narratives downloaded from EudraVigilance to third countries in full, without the protection of personal data. EMA has therefore drawn attention to the fact that MAHs are responsible for personal data processing activities in the context of pharmacovigilance, including access and subsequent processing of data contained in ICSRs from EudraVigilance. This involves the obligation to comply with the rules established in the GDPR and national data protection laws, when applicable.

EMA also underlines that the use of SCCs (Standard Contractual Clauses) or SDPCs (Standard Data Protection Clauses) by MAHs are not sufficient to ensure compliance with data protection regulations, in particular those provided for by Chapter V of the GDPR. The impact assessment of the data transfer should be conducted before concluding the SCCs, taking into account the laws and practices of the destination third country.

EMA has also published a list of countries, which although non-EU, provide adequate data protection as assessed by the European Commission.

Based on the guidance provided by EMA, the SafetyDrugs team has created a new module that can help pharmaceutical companies comply with the rigorous requirements of the GDPR by ensuring privacy compliance in the distribution of pharmacovigilance reports to non-EU countries.

Pharmacovigilants will no longer have to worry about mistakenly sending data subject to privacy, as the GDPR Module adds the “Under data protection” modality to the safety database, that allows:

Creation of a list of data subject to privacy and setting of automatic rules for protection. The module allows you to create a list of non-transferable data outside the EU and set related protection rules:

• sensitive data such as age, gender, medical history, relevant clinical data and other personal data, such as the health history of family members, are replaceable with the “Masked” nullflavor, where permitted by the ICH R3 rules;
• data relating to the location such as, for example, the country code from the Safety Report ID, the WWN code and the Other case identifier, can be replaced with the wording “EU” or “NONEU” based on the origin;
• name of the medicine, which could reveal information about the location, can be replaced with the name of the active substance. Alternatively, a blank space can be used;
• sections of the narrative, such as comments or additional information, can be replaced with parametric text or blank spaces.

GDPR compliant XML export and CIOMS generation. It is possible to export ICSR, in XML R2 and R3 file format, and generate CIOMS with automatic redaction of the data subject to protection. You can also choose whether or not to extract attachments, since they may contain sensitive information.

Receiver management. For each recipient defined as “Under data protection”, it is possible to set the elements that must be masked.

Custom parameterization. In SafetyDrugs you can define the GDPR module settings described above.

We are excited to introduce this important enhancement to SafetyDrugs to help companies ensure responsible, GDPR-compliant pharmacovigilance. If your company is interested in learning more about the SafetyDrugs GDPR Module, please do not hesitate to contact us. We’ll answer all your questions and walk you through the setup process.