Please keep in mind that these studies require prolonged time for approval, average 3 months.
Many European countries require compliance with General Data Protection Regulations (GDPR).
If you are collecting any personal data (not just health or medical information) from any of these countries, you must follow GDPR guidelines.
CHCO cannot support research that requires you follow GDPR regulations and therefore, CHCO researchers are not able to do research in GDPR countries.
COMIRB and CU have a process in place for reviewing studies with GDPR implications, which is rather involved, so you should begin discussing a global research endeavor with COMIRB as soon as possible to avoid greater delays in getting the study off the ground.
COMIRB has a separate review committee that meets once every other week to discuss GDPR projects – This is separate from COMIRB review and you can begin this process as soon as you have a protocol and a general idea of the study and the data you will be collecting. The project may be discussed at multiple GDPR committee meetings, so this can be a lengthy process. The GDPR committee review and approval needs to happen before COMIRB will review/approve the project.
If you are affiliated with CHCO, you still need to follow the same guidelines as you normally would, which typically means you must submit the study through the Human Subject Research Portal before you can submit the study for COMIRB review. This will trigger any necessary CHCO reviews. Since CHCO does not meet GDPR compliance, they will review the study and then send you the approval that states they cannot support the study but you are free to submit the study to COMIRB for review, and this does not affect your ability to move forward with the research. You will submit this “approval” from CHCO with your COMIRB submission (and again, ideally the GDPR committee will have already been reviewing the project while you are waiting to obtain the formal CHCO approval).
A member of the GDPR committee will create a SOP that will outline the rules that must be followed, especially regarding the handling of the data. The PI of the study will need to review and sign the SOP and a copy of this will be submitted back to the GDPR committee as part of the review process. All members of the study team will also need to review the SOP, so I recommend having all members of the team review and sign the SOP and keep copies of those in the regulatory binder.
Of note, no data related to a GDPR project can be saved on a CHCO system as they do not meet GDPR compliance. Data must be stored on CU Anschutz SOM Isilon Server.
The consent process is more strict for GDPR projects and requires some different GDPR compliant language. COMIRB will edit everything to make it compliant.
All members of the study team will have to complete additional CITI trainings specific to GDPR compliance - The first module (“GDPR Overview”) of the CITI “GDPR for Research and Higher Ed” course. Once this is done send an email to privacy@cuanschutz.edu telling them you have completed the required CITI trainings, and let them know the title, COMIRB#, and PI of the study you completed the trainings for.
Additional information can be found HERE.