Join Advarra

Learn more about our company team, careers, and values. Join Advarra’s Talented team to take on engaging work in a dynamic environment.

See Jobs

The GDPR and Its Impact on the Clinical Research Community (Including Non-EU Researchers)

The European Union’s General Data Protection Regulation (GDPR) goes into effect May 25, 2018, replacing the existing EU Data Protection Directive. While the regulation is intended to cover EU personal data, non-EU entities may still be impacted by the new requirements. In this blog, we’ll provide an overview of the GDPR and what it means for clinical research professionals.

Please note that this material is provided for informational purposes only and not for the purpose of providing legal advice. If you are unsure whether the GDPR applies to a particular study or scenario, we suggest consulting with legal counsel for guidance.

What Is the GDPR?

The General Data Protection Regulation (GDPR) establishes and enhances protections for the privacy and security of personal data about individuals within the EU. It places restrictions on handling personal data and delineates the responsibilities and obligations of companies processing personal data.

Before we dive much deeper, here’s a quick explanation of some key terms used in the GDPR:

What Does the GDPR Cover?

The personal data categories covered under the GDPR are broader than protected health information covered by HIPAA or identifiable private information included in the Common Rule. Under the GDPR, personal data is “any information relating to an identified or identifiable natural person” (AKA the “data subject”). Even coded data (or “pseudonymized data”) is considered personal data that would be subject to the protections of the GDPR. Data that have been fully anonymized are not covered by the GDPR.

The GDPR further defines special categories of data, called “sensitive personal data,” which are subject to stricter regulation. This would include data typically collected in a clinical trial, including health data, genetic data and biometric data. This category also includes racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sex life or sexual orientation.

How Does the GDPR Apply to Clinical Research in the EU and Beyond?

The GDPR is intended to cover EU personal data, including data processed for clinical trials and applies directly to companies located in the EU, Iceland, Liechtenstein and Norway (collectively called the EU in this post). It also applies to the processing of personal data by a controller or processor not located in the EU when the data processing is related to (a) offering goods or services to participants in the EU, or (b) the monitoring of behavior of participants while in the EU.

It applies to anyone while in the EU, not just EU residents. This means that the GDPR may affect US clinical trials even if the trial is not conducted in the EU. Here is an example: A US citizen enrolls in a clinical trial in the US that requires her to wear a device that collects her health information. She travels to the EU while participating in that study and continues to wear her device, which continues to collect her health information. All personal data collected and transferred to the US while that participant is in the EU is subject to the GDPR.

On the other side of the coin, the GDPR generally will not apply to EU citizens enrolling in a US clinical trial while located in the US. However, if the clinical trial is being advertised in the EU, or if participants are followed or follow-up care is provided when participants return to the EU, then the GDPR may apply.

A note about future research: Under the US HIPAA and Common Rule regulations, broad consent for future research is generally allowed when participants are provided a description of the general areas of future research. Although the GDPR acknowledges that it may not be possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection, the draft GDPR working party guidelines indicate that specific consent to a well-described purpose may be required under the GDRP. At this time, the GDPR is not clear on whether broad consent may be used for future research, and additional guidance is needed in this area.

How Are Study Participants Informed of GDPR Data Privacy Requirements?

The clinical trial sponsor is responsible for determining whether the study must comply with the GDPR. If the study is subject to the GDPR, detailed data privacy information must be provided to participants. This data privacy notice may be included in the ICF, a data privacy addendum, a letter to participants, or other formats as determined by the sponsor.

In the US, the IRB of record should confirm that the GDPR data privacy requirements have been included in the data privacy notice. Some of these elements are already included in typical clinical trial templates. The additional elements related to data privacy that must be included in the data privacy notice include:

The GDPR does not require signed written consent for data processing, even for the processing of special categories of data typically collected in a clinical trial. As the data controller, the study sponsor must be able to demonstrate that valid explicit consent was obtained. Although written consent via the main ICF or a consent addendum would be considered best practice, oral consent is sufficient.

Reconsent is not required for the use of data collected prior to May 25, 2018, provided that the way consent was previously given is in line with the conditions of the GDPR. The focus here rests on whether these older consents meet the requirements for consent under the GDPR: freely given; informed; specific; unambiguous by a clear statement or affirmative action of consent (e.g., signing the consent form). Older consents meeting these requirements are likely to be considered valid, even though the data privacy notification was not originally included.

At Advarra, we will be monitoring the evolution of the GDPR and will provide updates and additional information as appropriate. Need to add GDPR requirements to a new or ongoing study? Contact Business Development for support.

Back to Resources