It’s all talk. Here is how Viedoc walks GDPR
The buzzwords and GDPR strategies are flying around as enforcement day of May 25 is approaching. Here are the concrete steps we have taken to nail compliance with the new regulations. And by the way - our flexible platform made the work rather easy.
1. Encrypted data storage
We have always encrypted all sending and receiving of data. But we felt that it was not enough. We have now chosen to encrypt the data at rest, when stored in our data centers.
Why?
GDPR is demanding “appropriate level of security” when it comes to transmitted, stored and processed data. Encryption of data is one example (not requirement) that legislators have identified as appropriate level of security and we have taken this advice seriously and encrypted all data at rest
2. Two factor authentication
From now on, sponsors can enforce two factor authentication for logging into Viedoc. You can either do this by receiving a confirmation code by e-mail or an SMS making it harder for unauthorized people to access data in Viedoc.
Why?
GDPR is demanding “appropriate level of security”. Sponsors and users can now decide themselves on the level of security necessary for user authentication in their study.
3. The right to be forgotten – in Viedoc
We are now empowering Viedoc users to control who can see the personal information stored as part of every user account. Users can now delete their own study membership and their user account. Certain study management roles are also able to delete the data from a completed study. All of this was previously a manual and time-consuming process and can now be done in a couple of clicks.
Why?
GDPR is stating the right to be forgotten, or deleted, from a register or database. The controller, or study sponsor in clinical trials, is responsible for this. We have made it possible for the user to do this in an easy and efficient manner. We have also empowered investigators to decide which study he or she wants to participate in, protecting their user data.
4. Updated documentation
We have created a new client agreement including an appendix regulating data processing, data privacy, as well as added new terms and conditions and privacy policy in the user agreement.
Why?
GDPR enforces us to make it clear what responsibilities our clients have and where we step in and take responsibility of stored data, clarifying what data is exchanged, the purpose of doing so, how it is handled and what protective measures have been taken. This applies to both the business side – client agreement – and the user side - terms of conditions.
Definitions – who is doing what in the world of GDPR?
What kind of data are we talking about?
GDPR is – when it comes to clinical trials – all about keeping control of contact and user data from sponsors, CROs and clinical staff. Study data is stored pseudonymised and the data is collected according to clinical study regulations like GCP making GDPR only applicable in certain areas.
Controller
Controller is the study sponsor – biotech company, academia or pharmaceutical company. The controller owns the data and is therefore responsible for the data, but the platform vendor is the controller of the user accounts. Sponsors can’t be controllers of the user account as investigators can work in Viedoc with several different studies for different sponsors and there should generally be only one controller of the specific data.
Processor
Processor is another term that you need to know about. It’s usually the CRO in the world of clinical studies. The CRO is processing the data for the study.
User
Doctors and clinical staff are in most cases the users. They fill in study data – and their personal data in the Viedoc platform.