Research, Innovation, and Compliance in the EU and UK: A Data Privacy Roadmap

Rob Masson, CEO, The DPO Centre

Collection of sensitive personal data is a cornerstone of clinical research involving drugs and medical devices. However, if the personal data relates to European Union (EU) or United Kingdom (UK) residents, this raises particular legal and compliance issues due to the General Data Protection Regulation (GDPR). Securing, anonymizing, and transferring personal data is complex and challenging in these regions, especially when there is a need to share personal data with vendors and research partners in multiple jurisdictions.

“Many sponsors in the United States incorrectly believe that the GDPR does not apply to them because they are not based in Europe and they see only coded data,” says Rob Masson, CEO of The DPO Centre. “This confusion is partly due to the Health Insurance Portability and Accountability Act (HIPAA) not considering pseudonymized data to be personal data. However, under the GDPR, the definition of personal data includes any data relating to an individual that are either directly or indirectly identifiable. This therefore applies to coded/pseudonymized data because these are ‘indirectly’ identifiable.”

As a result, the GDPR applies throughout the world where personal data on an EU or UK resident are being processed. “Compliance with these data protection laws is essential, and without an accountability framework in place, studies are likely to grind to a halt very quickly,” states Masson. “In addition to incurring fines, engagement with the necessary partners will be impossible, as will successful ethics committee reviews and Clinical Trial Information System (CTIS) applications, all of which are required for EU studies to progress.”

Key steps to consider when processing EU/UK personal data include:  

  • Understanding data flows, lawful bases, processing risks, and cross border transfers 
  • Implementing a GDPR compliance framework prior to the first-participant-in stage
  • Implementing data processing agreements with study partners and investigator sites 
  • Being familiar with the requirements of the CTIS 
  • Appointing a data protection officer and data protection representative where required 

Data protection representatives are required by organizations that are not present within the European Economic Area, and must be “established” in the Member State where the majority of a study’s EU personal data are processed. Its role is to act as the point of contact for data subjects and regulatory authorities.  

European Data Privacy Roadmap: Balancing Research, Innovation, and Compliance

Join Rob at ACRP 2025 [April 24-27; New Orleans, La.], as he explores some of the key data privacy compliance challenges for contract research organizations and sponsors, sharing real-world business examples and insights. View complete schedule.

Post-Brexit, both the EU and UK GDPR Article 27 apply, so representatives are required in each jurisdiction. Other laws to keep in mind are the Clinical Trials Regulation and Medical Devices Regulation.

“Sponsors need to be fully aware of the implications of data protection legislation designed to protect the sensitive, high-risk health data gathered during many clinical trials,” according to Masson. “As the ‘data controller’, sponsors inherit ultimate responsibility and accountability for compliance—which cannot be divested to a contract research organization—and must clearly demonstrate this commitment. Data privacy should be considered from the protocol design stage and throughout the clinical trial lifecycle.”

Edited by Jill Dawson