Any HealthTech entering the clinical development phase is faced with the need to ensure the oversight of regulatory compliance of its clinical research activities, in a context of extensive outsourcing and of delegation of part of its responsibilities, even though it remains accountable as sponsor vis-à-vis the regulator and the authorities.
The compliance framework involved includes GxP, as well as the protection of sensitive personal data and the information security.
Maintaining control over quality, safety of research participants, security of data and information, and risks, is a major challenge for a management team due to the complexity of the processes involved and the large number of stakeholders.
For a Biotech or Medtech company in startup mode, the organisation must gradually structure itself and implement a management system. This system must be designed to effectively support the need for an increasing maturity of the study conduct and oversight processes, and thus guarantee the right level of control, rigor, and formalism. If it is in place sufficiently in advance of the preparation of the first clinical study, it will support the implementation of a “Quality by Design” approach, suitable to ensuring quality and operational efficiency.
The same applies to the management of data privacy (Privacy by Design) and the management of information security (Security by Design). But these areas do not completely overlap with that of quality:
- Their scope is potentially different. Indeed, other personal data and information than those processed in clinical studies may be involved and represent a critical issue, particularly in view of a due diligence or an audit.
- While management must, in all cases, be risk-driven, the nature of these risks (threats, impacts, and targets) may be different.
- Each domain has its own specific set of applicable laws, regulations, and standards.
In our practice as DPO of clinical research, we encourage multidisciplinary and pragmatic thinking with our peers who are responsible for quality and information security, in order to take into account the interactions between the three areas (GxP, data protection and information security) when designing the management system.
