gdpr clinical trial data

How GDPR and Other Privacy Laws Impact Clinical Trial Data

Clinical research has long been supported by important privacy regulations.


In Europe, the General Data Protection Regulation (GDPR) has become the gold standard for protecting the private lives of individuals. Several countries have passed their own laws that offer even further protections to citizens. At the same time, there is not complete overlap between the regulations that already guide the clinical research field and the principles outlined in the GDPR.

This makes compliance challenging, especially when clinical research crosses international borders. In decentralized trials, for example, when synchronous research can take place across different continents, regulations like GDPR could increasingly affect the use and collection of trial data, as well as patient engagement.

Below are a few key considerations clinical research professionals should keep in mind as they navigate international trials to which patient privacy laws apply.

Is GDPR Applicable to a Clinical Trial?

GDPR applies to any clinical trial that collects personal data from citizens of the European Economic Area (EEA). That means citizens of all 27 European Union countries plus Norway, Liechtenstein and Iceland.

Note that this is not limited to trial participants. GDPR also applies to a study when investigators or CRO employees are EEA citizens.

At the same time, the European Union has a separate law, Clinical Trials Regulation (CTR), that governs some aspects of how clinical trial data is analyzed and stored. There is an interplay between GDPR and CTR that will inform many of the questions below.


What Can Researchers Do With Past Clinical Trial Data?

EU law identifies two distinct uses for clinical trial data: primary use and secondary use.

  • Primary use refers to “processing operations related to a specific CT protocol during its whole lifecycle (from the beginning of the trial until the end of the archiving period),” the team at training company ECA Academy writes.
  • Secondary use describes instances in which data from an older trial is used again for new research purposes.

This is where consent and re-consent come into play, and the European Commission Directorate-General for Health and Food Safety has helpful guidance on the matter.

If a researcher intends to use a participant’s personal data “for further research outside the protocol of the [clinical trial],” and that participant is subject to GDPR jurisdiction, then the sponsor or the investigator must inform that person of this use of their data, the ECA Academy team writes.

If the initial consent given by the participant fulfills the requirements of GDPR, then re-consent may not be required. The law appears to put the onus on the data controller to make this decision. If re-consent is necessary, GDPR compels the researchers to take the following into account:

  • That the personal data collection is for explicit and legitimate purposes.
  • That the participant’s consent was unambiguously informed and freely given.
  • That the participant has the right to withdraw consent at any time.

In practice, this means it could be useful to ask for consent twice. Ask participants whether they consent to the primary use of their personal data, then ask participants again — with an entirely new consent form — whether they consent to the legitimate future use of their personal data.

Further, be prepared to ask for consent on several different levels. As the team at TMF University writes, “GDPR mandates that consent must be ‘granular’, meaning that the data subject can choose to what extent their data is processed.”

Clinical research teams therefore need to be ready to ask for consent (and re-consent) for various data use cases. Researchers and companies are currently working on novel, dynamic methods for managing participant consent. For example, University of Applied Sciences and Arts of Western Switzerland researcher Davide Calvaresi is the corresponding author on a 2020 paper in which he and his colleagues propose a blockchain-based system for collecting and managing dynamic, granular consent.

Expect privacy laws like GDPR to spur new tech innovations in clinical trials over the next several years.


What Do GDPR and CTR Mean for Sponsors?

GDPR shifts the responsibility for compliance somewhat. The law “allows for the appointment of joint data controllers, and also imposes obligations on data processors (i.e. CROs, investigators or statisticians),” attorneys Richard Dickinson, Jackie Mulryne and Zoe Walkinshaw write at Clinical Trial Arena. Processors and controllers share the responsibility for compliance.

When trials fall under GDPR, “it is the obligation of the data controller (sponsor/clinic-institution of the investigator) to implement the appropriate technical and organisational measures to ensure and be able to demonstrate that the personal data are processed in accordance with the data protection rules,” according to the Directorate-General for Health and Food Safety’s guidance.

The CTR goes further, requiring the sponsor/investigator to:

  • Report the trial’s results.
  • Perform the safety reporting.
  • Archive the clinical trials master file for 25 years.

Further, the sponsor is subject to inspections by individual member states of the European Union, and national law prescribes how long the medical files for individual participants must be archived.

How Does GDPR Impact Decentralized Clinical Trials?

At the moment, GDPR and data protection rules are leaving clinical researchers somewhat hesitant to fully embrace decentralized trials.

In July 2020, Daniel Chancellor, the director of thought leadership at Pharma Intelligence, presented the findings of an industry survey that found “regulatory acceptance” and “data protection and privacy” were the two most-cited hurdles to running a decentralized clinical trial. Respondents widely said they wanted more guidance on how data privacy laws affect decentralized trials.

Compliance complexities can emerge quickly when a trial falls under GDPR jurisdiction. If the eCRF database is hosted in the United States, for example, sponsors may still need to implement “appropriate technical and organisational measures to ensure and be able to demonstrate that the personal data are processed in accordance with the data protection rules (Article 24 of GDPR),” if that law is applicable, according to the Directorate-General for Health and Food Safety.

That law is applicable to controllers outside of the EU “if the processing activities are related to data subjects in the EU,” the ECA Academy writes. In such cases, the Directorate-General’s guidance suggests sponsors achieve this via their contracts with and audits of subcontracted parties.

Privacy and GDPR in Clinical Research and Data Management

Our industry is perhaps the most advanced of all in understanding how to safely handle sensitive personal data. Medical privacy has been at the core of trial participation for a long time.

As data privacy becomes a greater issue, touching various aspects of life for everyone, we must endeavor to remain compliant and maintain our position at its vanguard.

Want to stay up to date with our news?

To top