Data Protection Officer Outsourcing
Pharma IT has extensive experience in assisting various Biotech companies in ensuring GDPR compliance when conducting Clinical trials in the EU.
Smaller companies often do not need a full time resource for Data Protection Officer, and internal resources will have to spend some time ensuring they are fully up to date with the latest legislation and guidelines.
The DPO position will not be in line with the company’s core capabilities and it could be difficult to find a person with the right level of expert knowledge and avoid conflict of interest when the DPO is asked to perform other tasks as well. Furthermore, a scalable setup could probably better accommodate for the requests coming from external parties and authorities.
On that basis it is Pharma IT’s recommendation that small and medium size Pharmaceutical and Biotech Companies outsource their Data Protection Officer. As most Pharmaceutical and Biotech Companies are involved in clinical trials where personal data concerning health is processed the appointment of a Data Protection Officer is most likely required. Personal health data could also be processed in other processes in the company as well and regardless of where this happens a Data Protection Officer could be involved. For companies only running clinical trials in phase 1 and 2 an individual assessment should be made, for companies running trials in phase 3 or later the appointment of a DPO will most likely always be required.
It should be noted that even though the clinical trial is conducted by a 3rd party/Clinical Research Organization (CRO) – a data processer – it is still the initiator of the clinical trial – the data controller – that must ensure that a Data Protection Officer is appointed.
According to the regulation the Data Protection Officer shall be designated based on professional qualities and should have expert knowledge of data protection law and practices. Furthermore, the Data Protection Officer must perform the following tasks:
- Advise on processing of data
- Monitor compliance via awareness-raising, training and audits
- Advice regarding “Data protection impact assessment”
- Cooperate with supervisory authority
- Contact point for the supervisory authority
- Contact point for Data subjects
- Assisting ensuring correct sufficient safeguards on data protection for the data to be prosed by It-Service venders or transferred internationally. Among others e.g. Data Processing Agreements (DPA) and Standard Contractual Clauses (SCC).
The data protection officer may also fulfil other tasks and duties if there is no conflict of interests.
In small and medium size companies the area of data security and data protection is seldom a full-time position due to the size and complexity of the company. When offering a security and data protection position it will be hard to attract the right level of expertise and knowledge. Should the company offer a full time position the responsible person will have to perform other tasks which can create a conflict of interest in the work being performed, especially in respect to monitoring and performing audits. Furthermore, level of work related to cooperating with authorities, number of contacts from data subjects is very uncertain and therefore a scalable setup might be of preference.
Pharma IT can provide Data Protection Officer (DPO) as a service and Pharma IT can provide a scalable team with expert knowledge within Pharma and Biotech processes to handle the various requests that might come from authorities and data subjects.
Our DPO’s are certified in General Data Protection Regulation, they are certified in Certified Information Privacy Professional/Europe (CIPP/E) and they have relevant experience from working with security, personal data and compliance within the Pharmaceutical and Biotech industry.
Please contact us if you want to know more.