Conducting clinical research—data protection implications
Produced in partnership with William Long and Francesca Blythe of Sidley Austin
Conducting clinical research—data protection implications

The following Life Sciences guidance note Produced in partnership with William Long and Francesca Blythe of Sidley Austin provides comprehensive and up to date legal information covering:

  • Conducting clinical research—data protection implications
  • When and why is data protection relevant to clinical research?
  • Responsibility for compliance
  • Transparency
  • Engaging a processor
  • Data protection officer
  • Data protection representative
  • Data protection impact assessments
  • Legal grounds for processing
  • Secondary/further processing for research purposes
  • more

Data, and consequently data protection compliance, is central to conducting clinical research whether in the context of clinical trials, pharmacovigilance activities and/or scientific research more broadly.

As of 25 May 2018, data protection law in the EU is governed by the EU’s General Data Protection Regulation (EU) 2016/679 (the GDPR). This Practice Note focuses in particular, on the impact of the GDPR on clinical research. For further information on the GDPR more generally, see Practice Note: The General Data Protection Regulation (GDPR).

When and why is data protection relevant to clinical research?

Territorial scope of the GDPR

The GDPR applies to an organisation processing personal data in the ‘context of the activities of an establishment of a controller or processor in the [EU]’ whether or not the processing takes place in the EU.

The GDPR also applies to organisations based outside of the EU (eg in the US) that process personal data of individuals (referred to as ‘data subjects’) ‘who are in the [EU]’ where the processing activities relate to:

  1. offering goods or services (irrespective of whether a payment by the data subject is required) to such data subjects; or

  2. the monitoring of the behaviour of such data subjects, providing the behaviour takes place within the EU

As such, the GDPR may apply to an organisation involved in clinical research (eg a sponsor,