Clinical trials and the GDPR

Data protection reform affects every sector, and changes to data processing around employment and customer liaison are universally relevant. But in some areas specific issues arise. One such area important for the life sciences industry is clinical research. This usually involves the collection and processing of health data about individuals – and this falls within the special category of data that receive enhanced protection.

The General Data Protection Regulation (the GDPR) tightens the obligations around the processing of personal data, and introduces tough new sanctions for non-compliance. The GDPR requires data processors to identify a legal basis that justifies their activities. In the case of clinical research, this may be consent, or possibly another basis such as scientific research in the public interest. But in any event, clinical research law normally requires participant consent to be obtained.

The GDPR recognises the role of clinical research law in defining the consent obligations in this context. But there is still some uncertainty around the extent to which the GDPR imposes additional compliance requirements on those organising and running clinical trials.

The existing EU Clinical Trial Directive , and its forthcoming replacement, the Clinical Trial Regulation (the CTR), both put transparency and consent at the heart of the process. Under the CTR “informed consent” is

“a subject's free and voluntary expression of his or her willingness to participate in a particular clinical trial, after having been informed of all aspects of the clinical trial that are relevant to the subject's decision to participate or, in case of minors and of incapacitated subjects, an authorisation or agreement from their legally designated representative to include them in the clinical trial”.

Articles 28-35 of the CTR deal with gaining informed consent in all situations, covering consent on behalf of minors or those lacking capacity, for pregnant or breastfeeding women, and in emergency situations.

Recital 161 of the GDPR cross-refers to the CTR:

“For the purpose of consenting to the participation in scientific research activities in clinical trials, the relevant provisions of Regulation (EU) No 536/2014 of the European Parliament and of the Council should apply”

However, the consent requirements in the GDPR are different, and include additional requirements around the specificity and granularity of consent that may be difficult to satisfy in the context of clinical research. 

Newly finalised guidance on consent from the group of EU regulators tasked with data privacy sheds some light on how personal data should be protected in the clinical trials context. The new guidance looks specifically at scientific research (section 7.2). It addresses the difference between consent obtained for the purposes of data privacy law and the consent needed to comply with ethical and procedural rules concerned with clinical trials. The guidance acknowledges that consent may not be the only basis for this kind of processing – the alternatives of the controller’s legitimate interests, and scientific research in the public interest may be available.

The guidance does not really help on the question of specifying the purpose of the research. It calls on researchers to seek consent in general terms at the outset and then supplement this with further rounds of consent as the project progresses. Aiming for transparency with a comprehensive research plan is also recommended.

The right to withdraw consent in the GDPR will apply, leading to the possibility that individuals could remove themselves from the research programme. If an individual does this their data must then be deleted without delay. The GDPR also allows for erasure of data under the “right to be forgotten”. Pseudonymisation of data is not necessarily the answer, as this can sometimes be reversed through use of additional information to re-identify the individual. And the GDPR's obligations may well extend beyond the sponsor to other organisations who fall within the net of joint controllers or processors of the data.

Those running clinical trials will need to take account of the additional obligations imposed by the GDPR and cannot assume that compliance with clinical trials law will be enough. The currently available guidance, although helpful, does not provide a straightforward set of dos and don’ts meaning that detailed analysis will be needed.

Edward Hadcock and Isabel Teare

Our content explained

Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.

Posted by


Mills & Reeve Sites navigation
A tabbed collection of Mills & Reeve sites.
My Mills & Reeve navigation
Subscribe to, or manage your My Mills & Reeve account.
My M&R


Register for My M&R to stay up-to-date with legal news and events, create brochures and bookmark pages.

Existing clients

Log in to your client extranet for free matter information, know-how and documents.


Mills & Reeve system for employees.