The GDPR has changed the way personal data is handled in clinical trials. Find out what you need to know as a US sponsor about the impact of the GDPR for your clinical trials in the EU and in the UK.

There are currently approximately 400,000 clinical trial studies conducted globally, of which more than 115,000 are conducted in the European Union. While it’s a huge boost for medical research, this can create a confusing tangle of regulations and laws for international researchers.

One of the most important regulations affecting clinical trials is the EU General Data Protection Regulation (GDPR).

The GDPR doesn’t allow loopholes based on location. It applies even if your organization is in the US.

What is the GDPR? Does it apply to you as a US-based sponsor? How does it impact your clinical trials in the EU? Read on to learn more! 

What Is The GDPR?

The GDPR came into effect on May 25, 2018 in response to rising concerns over personal data protection. Under the GDPR, controllers and processors of personal data are required to put in place the “appropriate technical and organizational measures” needed to protect the data of individuals and to respect their data rights.

The main objective of the GDPR is to harmonize data protection laws across all countries in the European Union and to provide greater data protection safeguards to individuals in these countries. It does this by setting forward specific requirements for data protection, handling, and processing of personal data, as well as by giving explicit data rights to individuals in the EU.

Does the GDPR apply to you as a US Sponsor?

Yes. The European Data Protection Board (EDPB) clearly answered this question in its opinion on the interplay between the Clinical Trials Regulation (CTR) and the GDPR. The GDPR is fully applicable to US sponsors that process personal data of individuals in the EU, including in the context of managing a clinical trial.

If you comply with HIPAA and the EU Clinical Trials Regulation, does that mean that you’re compliant with the GDPR?

Medical research has its own separate laws and requirements but falls under other applicable regulations as well, including the GDPR. What is the interplay between some of those regulations?

The GDPR and HIPAA

Healthcare organizations in the US should already be familiar and compliant with the Health Insurance Portability And Accountability Act (HIPAA). The HIPAA was enacted in 1996 to provide data protection for US citizens. However, the GDPR takes things a step further since it takes modern technological advancements and modern trends in data management into consideration.

As such, US sponsors should be particularly cautious not to assume that being compliant with HIPAA means that they’re compliant with the GDPR. Both are similar – especially as concerns the stringent security measures that govern the processing of health data – but numerous gaps remain between HIPAA and the GDPR, especially regarding the scope of personal data definitions, data retention obligations, explicit consent requirements, data breach notification delays, etc.

The GDPR and the EU’s (new) Clinical Trials Regulation

Clinical trials that are conducted in the EU adhere to the Clinical Trials Regulation (EU) No 536/2014 (CTR), which goes into force on January 31, 2022. The CTR’s provisions include consistent clinical trial rules across all EU Member States, greater information transparency, increased safety standards and uniform submission and assessment processes.

The CTR and the GDPR are in agreement with data safety and security. However, US organizations still need to take extra steps to ensure GDPR compliance in clinical trials in the EU and they should pay close attention to a number of important questions related to the adequate legal basis, informed consent and its withdrawal, information of data subjects, transfers of personal data outside the EU and secondary uses.

3 things you must remember when conducting clinical trials in the EU

As a US sponsor, you should keep these three key considerations in mind before you launch your clinical trial in the EU!

1. It’s not only about the patients

Transparent communication is crucial under the GDPR because without adequate information about the ins and outs of the processing activity, individuals can’t exercise their rights.

US sponsors must proactively communicate with data subjects so that they can know exactly who is processing their personal data, for what purposes and to whom they can turn to in case of questions or problems.No doubt that the patients involved in your clinical trials should be the first informed about data privacy and their rights; but they’re not the only individuals who should be aware of how their personal data is processed! Don’t forget to include all individuals in the EU whose personal data you’re processing. These will typically include the investigators, CRO staff, site staff, vendor staff and committee members.

2. Make sure that your data transfers to the US are permitted

When conducting your clinical trial in the EU, you may be transferring personal data from the EU to the US: research results, analysis, patient profiles, etc. Those transfers can only be made lawfully if they are adequately safeguarded by one of the tools provided for under the GDPR. Which one is right for your transfers?

Does the name “Schrems” ring a bell? He’s an EU privacy advocate who launched court cases that led to the invalidation of the Privacy Shield Framework by the Court of Justice of the European Union in July 2020. If you were relying on the Privacy Shield Framework to safely transfer personal data from the EU to the US, then you should be looking at finding another solution as soon as possible.

One of the most common tools used by US organizations for such transfers are Standard Contractual Clauses (SCCs). However, to ascertain whether you can validly use SCCs, you must first perform an assessment test which considers the specific circumstances of the transfers as well as supplementary measures that could be put in place. If the result of your assessment is negative, other solutions are still available to transfer data from the EU to the US, such as binding corporate rules (BCR), codes of conduct, certification mechanisms, or derogations foreseen in Article 49 of the GDPR (e.g. explicit consent, important reasons of public interest, etc.).

3. Don’t overlook the “forgotten obligation”

Have you heard of the GDPR Representative? There are three things that you need to be particularly watchful of regarding this obligation that is very often forgotten by US sponsors.

First, you will probably have to appoint a GDPR EU representative to act as your point of contact in the EU. If you haven’t heard about this obligation, it’s probably because almost everything that’s been written or discussed around the GDPR has been focused on EU organizations. Given that they’re located in the EU, they don’t have to appoint a GDPR EU representative.

Appointing a data protection representative is a major compliance obligation for non-EU organizations. Therefore, if you’re located in the US and have no offices branch or other establishment in the EU, you must appoint an EU GDPR representative.

The EU Representative must be located in the EU to act as a point of contact between your US company and EU individuals as well as the EU Data Protection Authorities, if need be. Additionally, the Representative can assist and support your company in the handling of an unlimited number of data breach notifications to the Data Protection Authorities.

In the event of non-compliance, you can face administrative fines of up to the equivalent of 10,000,000 EUR or up to 2% of your company’s annual worldwide turnover. The Data Protection Authorities can also temporarily or permanently restrict processing and suspend data flows.

Second, if you are conducting clinical trials in the UK, you may also need to appoint a UK GDPR data protection representative. As the UK is no longer a Member State of the EU and is considered a third country to the EU, it now applies the “UK GDPR”, an almost identical version of the EU GDPR. The rights, principles and obligations mostly stay the same, including the obligation to appoint a data protection representative. So if you’re conducting clinical trials in both the EU and UK, you have to appoint two representatives, one in the EU and one in the UK.

Third, don’t confuse the GDPR EU representative with other types of representatives. A very common mistake made by US sponsors when it comes to appointing an EU representative is assuming that the GDPR EU representative – appointed pursuant to Article 27 of the GDPR – is the same as the legal representative required under Article 74 of EU Regulation 536 (2014). That’s incorrect. They are two different representatives. Also, the GDPR EU representative is not the same as a data protection officer (DPO). The European Data Protection Board (EDPB) confirmed that it’s not possible to appoint your DPO as your GDPR EU representative so make sure that you have appointed the right representative(s) for the right purpose(s) in order to avoid facing heavy penalties.