DPO for clinical trials: Protect participants’ data privacy throughout the clinical trial lifecycle

Reading Time: 3 minutes
Clinical trials GDPR scaled e1598433334752


Dr Rachel Finn
- Director, Data Protection & Cyber-risk Services / Head of Irish Operations

Date: 26 August 2020

Clinical trials are research studies performed on people that are aimed at evaluating a medical, surgical or behavioural intervention. Clinical trials recruit participants whose personal and health data is analysed to determine whether a new treatment, like a drug or medical device, is safe and effective for widespread use.

Clinical trials conducted in Europe must comply with the General Data Protection Regulation (GDPR), which outlines clear responsibilities for organisations processing personal data. However, the GDPR has extra-territorial reach. This means that organisations anywhere in the world are subject to the GDPR rules as long as they

a) process data in the Union (e.g., conduct a clinical trial in Europe)


b) process data about EU residents (regardless of where the clinical trial takes place)

Given the high volume and sensitivity of the clinical trial data, clinical trial sponsors need to consider how their business operations are impacted by the GDPR. However, while clinical trials organisations have expertise in clinical trials and healthcare regulations, they may need support to ensure their compliance with data protection regulations.

What you should consider

In our engagement with clinical trial stakeholders, Trilateral Research has developed a compliance pack, resources, templates and standard processes to ensure that clinical trials comply with GDPR.

In particular, we have found that most organisations need to take actions, including:

  • Appointing a Data Protection Officer (DPO);
  • Conducting protection impact assessments (DPIA) of the clinical trial uses of personal data;
  • Designing policies to facilitate the handling of data subjects’ rights;
  • Providing assistance in identifying the appropriate legal bases for data processing;
  • Designing and implementing appropriate data security measures, including anonymisation  and pseudonymisation;
  • Drafting policies on secondary uses of research data, such as future research;
  • Updating the data privacy clauses in the clinical trial documentation;
  • Reviewing records management practices, records of processing and data retention policies;
  • Advising on international data transfer mechanisms;
  • Participating in the ethics and/or data monitoring committee;
  • Advising on joint controller and processor relationships with other stakeholders;
  • Verifying the specific national requirements for processing health and genetic data for clinical trial purposes: according to Article 9(4) GDPR, the processing of these data categories may be subject to specific rules under national law.

When is the right time to ask for help?

The sooner the better. Organisations who attend to GDPR requirements early lower their risk profile. In our work with clients, we assist organisations to navigate their responsibilities during the entire lifecycle of clinical trials, including in the following stages:

How we can help

Trilateral specialises in navigating the GDPR standards, turning data protection into an empowering tool for organisations during the entire clinical trial lifecycle, from inception to its final stage. To this end, we provide support to navigate the GDPR standards, obligations and flexibilities. We feel strongly that compliance is not a tick-box exercise and our outsourced Data Protection Officer services build on a risk-based approach and our long-standing expertise in healthcare information governance.

To support organisations in ensuring that adequate data protection safeguards and measures are in place before and during a trial, we have a designed a customisable packet of Data Protection Officer (DPO) services. This service is aligned to the EU standards and good practices, it can be accessed at any time during a clinical trial and includes:

  • Outsourced DPO service or tailored DPO support to share responsibility with your internal data protection or legal team;
  • DPO Assist for intense and complicated data protection work;
  • Ad hoc support with complex queries as they emerge (e.g., secondary processing for research purposes);
  • Quick compliance checks and provision of templates;
  • Data protection assessments and design of GDPR action items;
  • GDPR on-boarding checks for health-related projects.

The privacy and data protection of clinical trial subjects is an important part of patient safeguarding. Data protection is an enabler and driver for patient-centred care, as well as positive business impact and organisational growth.

Feel free to  get in touch with our Data Protection and Cyber Risk Team  who would be happy to discuss your data protection needs in your clinical trial project.

Related posts