Global Compliance

Data Protection Part 3: Key Considerations for Clinical Trial Recruitment

With the advent of the EU’s General Data Protection Regulation, individuals now have expanded rights to information regarding the use of their personal data. These changes impact several aspects of the clinical trial recruitment process and may require sponsors and CROs to update their data collection and protection protocols and processes for informed consent.

Consent for Processing

While CROs are already familiar with the concept of consent, it must be clearly understood that informed consent to participate in a clinical study is separate and distinct from consent for processing of personal data. In this blog, we focus on the latter requirement.  

The GDPR strengthens the conditions for consent, most notably by mandating that any request for consent be given in a clear, intelligible, and easily accessible form, written in plain language. In addition, the process of withdrawing consent must be as easy as the process of giving it. Article 7 of the GDPR outlines the conditions for consent.

Notably, Article 6 of the GDPR mandates that processing of personal data may be undertaken only if the data controller has a legal basis for the processing. Apart from consent of the individual, legal bases permitted under the GDPR include processing necessary for:

  1. Performance of, or entry into, a contract with a particular data subject
  2. Compliance with a legal obligation to which the data controller is subject under EU or member state law
  3. Protection of the “vital interests” of the data subject or of another natural person
  4. Performance of a task in the public interest or in the exercise of official authority vested in the data controller
  5. The purpose of legitimate interests pursued by the data controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject

Further to this, where sponsors and CROs are processing “special categories” of personal data, otherwise colloquially referred to as sensitive personal data, a legal basis from Article 9 is also required. Clinical trial data is considered a “special” data category. Traditionally, this has meant that, in the context of a clinical trial, the explicit consent of the patient is obtained before any personal data is collected. The privacy notice contained in the informed consent form must clearly state what data is being collected and why, where it is transferred to, who processes it, what it is used for, and what risks are involved. This allows the trial participant to make an informed choice whether to give consent for processing.

A new provision under the GDPR establishes that if personal data is being collected for scientific research purposes under Article 9(2)(J), consent of the individual is no longer required or even desirable, as consent under Article 7 can be withdrawn at any time. If a clinical trial provider is processing personal data with consent as the legal basis for processing, once that consent has been withdrawn, there may not be a legal basis for continued processing. In addition, where consent is being used as the legal basis for processing, it is not permissible to restrict participants’ rights to access their personal data at any time. 

At present, only a handful of countries across Europe, most notably the U.K., have activated the specific derogation in the GDPR that allows the “non-consent” option to be used. Sponsors and CROs should keep themselves abreast of the latest developments in the EU member states.

Access to the Data Protection Officer

Per Article 37 of the GDPR, sponsors may be required to appoint a data protection officer. A DPO is mandatory if the sponsor:

  1. Is a public authority
  2. Is processing sensitive personal data on a large scale
  3. Is collecting any type of information that systematically monitors individuals on a large scale

Unfortunately, the GDPR does not define “large scale,” so the term is subject to interpretation. While some member states have provided guidance, the definition is not necessarily consistent across countries, and some — for example, Germany and France — have taken the regulation a step further and required sponsors to have a DPO. Sponsors who are unsure whether they need a DPO should consult their legal counsel.

If a DPO is required, he or she must be registered with the relevant data protection authorities in specific territories. One question that should be addressed is whether that DPO can be referenced in the informed consent form so the study participant can contact him or her. If a sponsor does not have processes in place to maintain the blind if contacted by a patient, the sponsor may be reluctant to put the DPO’s details in the ICF. This may not be acceptable to certain ethics committees and, under such circumstances, alternative arrangements must be devised.

Data Management

The GDPR concepts of pseudonymization and anonymization are also crucial for clinical trial conduct.

  • Pseudonymization is defined as the processing of personal data in such a manner that the personal data can no longer to attributed to a specific data subject without use of additional information. Any pseudonymized data that can still be attributed to a study participant using other information will be considered personal data and must be handled accordingly
  • Anonymization is defined as the rendering of data in such a way that the individual is not or is no longer identifiable. Only anonymization of data will ensure that data is no longer considered to be personal data

These terms should be distinguished in clinical trial protocols. In nearly all trials, study results that are coded should be considered pseudonymous, not anonymous, because the site has the key to the patient ID codes, making the data identifiable.

Data Transfer

According to Article 46 of the GDPR, when a sponsor transfers data from EU citizens to areas outside the European Economic Area, it must protect that data in the same way it protects data within the EEA. To send data from the EU to an ex-EU sponsor, there must be a legal transfer method as described in Chapter V of the GDPR. These legal transfer methods include:

  • Standard contractual clauses approved by the EU. Of note, data protection authorities require organizations to enter into these clauses to cover each new purpose of processing
  • The EU-U.S. Privacy Shield Principles, if the sponsor is based in the U.S. and has self-certified. Only organizations subject to the enforcement authority of the U.S. Federal Trade Commission or Department of Transportation are eligible to participate in this program. A list of companies certified with the Privacy Shield can be found here. Of note, the Privacy Shield is currently being challenged in the European Court of Justice
  • Binding corporate rules, which are legally binding internal rules for data transfers within multinational companies or among groups of enterprises engaged in a joint economic activity
  • Transfer to a country that has received an adequacy decision from the European Commission declaring that the third-party country’s data protection laws are equivalent; e.g., Switzerland

In addition, when study participants consent to providing their personal data to a sponsor, the consent form must advise participants that their data will be sent outside of the EU.

As clinical trials become increasingly global, a major challenge of complying with the GDPR lies in capturing all of the global processing in a data map and ensuring that each leg of data transfer is legal.

Patient Advocacy

There is increasingly a drive in the industry to improve patient recruitment by offering more patient advocacy services. Sponsors who are considering patient advocacy efforts will need policies and procedures that describe how they segregate protected data such as patient name, location, and contact information. It must be very clear that no one who is on the project team, or who has access to patient-level data, can have access to emails that might be received. Sponsors may want to consider using a third party to receive these contacts if they don’t have someone appropriate in their own organization.


Compliance with GDPR is a significant undertaking, particularly for specialty pharma and biotech companies with limited resources. Noncompliance can be costly in terms of clinical trial progress and heavy financial penalties. It is, therefore, essential for sponsors to identify trusted partners who can help ensure that all aspects of clinical trials — and the data handling involved — are executed to the most recent regulatory standards.

Data Protection Part 1: Understanding How GDPR Affects Clinical Trials

Data Protection Part 2: Ensuring Study Start-Up Compliance With GDPR

Note: This material is provided for informational purposes only and not for the purpose of providing legal advice. If you are unsure whether the GDPR applies to a particular study or scenario, we suggest consulting with legal counsel for guidance.