4 min read

Writen by Zlatko Delev

Posted on: February 3, 2022

How does GDPR Affect Clinical Trials?

How GDPR impacts the clinical trials industry?

The increasing use of the internet, electronic records, and the advancement of clinical trial technologies enabling the collection and use of data, has no doubt played a big part in creation of the GDPR. Big data is becoming increasingly important in clinical research, which also poses new challenges for data security and privacy.

Clinical trial data is considered a “special” data category whereby processing is necessary for scientific or research purposes. The data subject gives their explicit consent for the collection of these categories of data. When a volunteer, patient, or subject signs the informed consent it will clearly state what data is being collected and why. This special data category negates the subject’s right to erasure, or portability which makes sense as clinical data cannot be removed from the dataset without an audit trail as well as that changing the statistical trial outcome.  Subjects can only leave a trial to prevent additional data collection.

The GDPR aims to strengthen the rights of individuals to be better informed about how their data is to be used and sets out clearer responsibilities and obligations on healthcare professionals and companies using such data. Transparency, security, and the accountability of Data Controllers is paramount. Clinical trial providers must identify the data that is being processed, where it is transferred to, who processes the data, what it used for, any risks and processes, and ensure all employees are trained.

Many of the responsibilities and obligations defined by GDPR are not new for companies in the Clinical Research sector, including that of consent. Within GDPR, the conditions for consent have been strengthened-most notable is that any request for consent must be given in a clear, intelligible, and easily accessible form, with the purpose for data processing attached to that consent. Consent must be distinguishable from other matters and use plain language. It must be as easy to withdraw consent as it is to give it. The clinical trial world already lives and breathes by informed consent. Going forward, however, clinical trial organizations must ensure that any informed consent document clearly states the intended logistics of any data collected.

How GDPR affects clinical trial providers

For clinical trial providers, the new regulations not only cover those participating in clinical trials, but also employees, customers, and subcontractors. A clinical trial provider is a processer from a customer perspective but also a controller of data in terms of personnel, sales, and sub-contractors. As a consequence, clinical trial companies have obligations to make sure that rules are in place and followed.

For clinical trial operators, data impact assessments will be crucial, for both electronic and hard copy data. Comparable to risk assessments for a data stream, it should cover what the data is used for, how it is managed, and what action is needed. There is also a defined role within the GDPR called the Data Protection Officer-a named person within the organization, registered with the data protection authorities in specific territories. This individual acts as the interface between organizations and the company and would be involved if there are any data breaches.

Another crucial part of the GDPR for clinical trials is the concept of pseudonymization and anonymization. The GDPR defines pseudonymization as “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information.” Therefore, any pseudonymized data that could still be attributed to a trial participant using other information will be considered personal data. The terms should be distinguished in trial protocols, as only the anonymization of data will ensure that the data is no longer considered to be personal data.

Contact Us

Hope you find this useful. If you need an EU Rep, have any GDPR questions, or have received a SAR or Regulator request and need help then please contact us anytime. We are always happy to help...
GDPR Local team.

Contact Us

Recent blogs

ISO 27001 Controls: A Comprehensive Step-by-Step Guide

Organisations in today's world filled with technology require a good information security setup and

Comparing Information Security Frameworks and Data Protection Frameworks

With cyber threats evolving at an unprecedented rate and regulations tightening globally, understan

EU AI Act Summary: Key Compliance Insights for Businesses

The EU AI Act is a pioneering attempt to regulate AI systems, striving for a balance between foster

Get Your Account Now

Setup in just a few minutes. Enter your company details and choose the services you need.

Create Account

Get In Touch

Not sure which option to choose? Call, email, chat to us

Contact Us

Stay Up-To-Date

Leave your details here and we’ll send you updates and information on all aspects of GDPR and EU Representative. We won’t bombard you with emails and you will be able to tell us to stop anytime.

Full Name is required!

Business Email is required!

Company is required!

Please accept the Terms and Conditions and Privacy Policy