Data Protection Requirements in Clinical Trials

Safeguarding Data Protection and Privacy in Research: Data Protection Impact Assessments and the Clinical Trials Landscape

Clinical trials form the cornerstone of biomedical progress. They provide the evidence base for new therapies, diagnostics, and medical devices, all while involving some of the most sensitive categories of personal data. In an era of increasingly decentralised studies, complex data flows, and cross-border collaboration, the governance of personal data in clinical research has become as vital as the scientific protocols themselves. This reality places data protection and in particular, the requirement to conduct Data Protection Impact Assessments (DPIAs) at the heart of ethically and legally robust trials.

Across the European Union and European Economic Area, the General Data Protection Regulation (GDPR) sets a clear expectation: where processing is likely to result in a high risk to individuals’ rights and freedoms, a DPIA is not merely advisable — it is mandatory. The processing of special category data, such as health-related information, triggers heightened scrutiny. In clinical trials, this scrutiny is more than procedural. It touches on participant autonomy, data sovereignty, and the fundamental trust between the research community and society.

This article explores the DPIA obligation in the context of clinical trials, drawing from authoritative guidance developed by Ireland’s National Clinical Trials Oversight Group (NCTOG) and supported by the Irish Data Protection Commission (DPC). It situates these responsibilities within the broader framework of EU data protection law, while also reflecting the operational realities faced by sponsors, investigators, ethics committees, and Data Protection Officers (DPOs).

A Regulatory Imperative, Not a Formality

At its core, a DPIA is a structured process that enables organisations to identify, assess, and mitigate risks associated with personal data processing. It embodies the GDPR’s principle of accountability and operationalises the concept of privacy by design. While DPIAs may take different formats depending on the nature and scale of processing, their objective remains consistent: to anticipate data protection risks before they materialise, and to document the rationale behind the chosen safeguards.

Clinical trials typically involve the systematic collection and analysis of data concerning participants’ health, genetic information, lifestyle, and sometimes even biometric or behavioural data. The processing often occurs over extended periods, involves multiple entities across jurisdictions, and uses advanced technologies such as electronic data capture systems, cloud-based trial management platforms, and artificial intelligence tools for statistical analysis or remote monitoring. Each of these dimensions amplifies the potential risk to data subjects.

Under Article 35(3) of the GDPR, a DPIA is required in situations involving the large-scale processing of special category data or systematic monitoring of individuals. These criteria are routinely met in the design and conduct of clinical trials. It is therefore essential for sponsors and sites to treat the DPIA not as a tick-box requirement, but as an embedded part of the trial planning process.

Defining Roles: Controllers, Processors and Joint Arrangements

A fundamental step in assigning DPIA responsibility is determining the role of each participating organisation. The GDPR distinguishes between data controllers, who determine the purposes and means of processing, and data processors, who act on a controller’s documented instructions.

In the clinical trial domain, the sponsor is frequently the entity that defines the protocol, determines the data that will be collected, and decides how it will be analysed. In such cases, the sponsor is clearly acting as a data controller. If the trial site which is typically a hospital or academic institution, simply follows the sponsor’s protocol and manages data on the sponsor’s behalf, it functions as a processor.

However, not all arrangements are so straightforward. Increasingly, trial sites participate in protocol design, select subsets of data to retain locally, or use the data for secondary research. Where decision-making around data processing is shared, the sponsor and site may be deemed joint controllers under GDPR (Art. 26). This designation carries specific obligations, including the need for a transparent joint controller agreement and a clear delineation of responsibilities toward data subjects.

In both the controller–processor and joint controller scenarios, the responsibility for conducting a DPIA lies with those determining the purposes and means of processing. Where roles are shared, the parties must reach a practical and lawful arrangement for completing the DPIA. The NCTOG guidance confirms that local hospital DPOs and ethics committees are not responsible for the DPIA, although they may have supporting roles or be consulted during the process.

 

Responsibility / Factor Sponsor as Controller Trial Site as Processor Joint Controllers (Sponsor & Site) Independent Controllers
Determines purposes and means of processing ✔️ ✔️ (jointly) ✔️ (separately)
Initiates and conducts DPIA ✔️ ✔️ (collaborative or delegated) ✔️ (each independently)
Primary accountability under GDPR ✔️ ✔️ (shared) ✔️ (individual)
Requires joint controller or processor agreement ✔️ (Processor Agreement) ✔️ ✔️ (Joint Controller Agreement)
Consults with DPO before trial begins ✔️ ✔️ (both) ✔️ (each separately)
Handles data subject rights ✔️ ❌ (unless instructed) ✔️ (must coordinate) ✔️ (each controller)
Provides data protection notice ✔️ ✔️ (joint or coordinated) ✔️ (individually)
Defines legal basis and mitigates risk ✔️ ✔️ (shared or divided) ✔️ (each independently)

 

The Ethics Committee Is Not the DPO

One of the more persistent misconceptions in the clinical trial landscape is the belief that ethics committee approval substitutes for a DPIA. This confusion stems from the fact that both processes occur early in the study lifecycle and are designed to safeguard participants’ interests. However, they are fundamentally distinct.

An ethics committee evaluates the clinical rationale, safety considerations, and integrity of the informed consent process. It assesses whether the proposed research design is proportionate, scientifically valid, and ethically sound. Data protection may be mentioned, but it is not the central focus. In contrast, a DPIA scrutinises the data processing elements of the project. It examines the lawfulness of processing, the compatibility of purposes, data minimisation strategies, storage limitations, security measures, and the extent to which data subjects can exercise their rights.

The GDPR is explicit on this point. DPIA obligations exist independently of other sector-specific approvals. Ethics committees are not tasked with reviewing DPIAs, and a trial may require additional safeguards beyond those imposed by ethics boards. The distinction must be respected to ensure that data protection responsibilities are not overlooked or fragmented.

DPIAs in Practice: Timing, Consultation, and Iteration

A well-conducted DPIA begins well before the first participant is enrolled. It should form part of the initial feasibility and risk assessment stages of the trial, when data flows are being designed and operational partners are being selected. Delaying the DPIA until after key decisions are made diminishes its value and can expose the sponsor to unnecessary regulatory risk.

The GDPR encourages the consultation of a DPO where one has been appointed. In clinical research, this consultation is not only legally prudent but practically beneficial. DPOs can bring critical insights regarding data retention schedules, international transfers, lawful bases for processing under both Articles 6 and 9, and mechanisms for handling data subject rights. Where multiple jurisdictions are involved, local DPOs or legal experts may be consulted to address national derogations or ethics frameworks.

The DPIA should not be treated as a static document. Clinical trials often evolve through protocol amendments, new study arms, or technology upgrades. Each of these changes may affect the data processing landscape. Sponsors should revisit and, where necessary, revise their DPIAs in response to these developments. This iterative approach aligns with the accountability principle and positions the DPIA as a living instrument rather than a bureaucratic artefact.

Distinguishing Medical Consent from GDPR Consent

In the context of clinical trials, the concept of “consent” carries distinct legal and ethical meanings depending on the framework in which it is applied. One of the most frequent sources of confusion, both among research professionals and participants, is the assumption that informed medical consent automatically satisfies the requirements for valid consent under data protection law. However, this is not the case.

Medical or clinical consent relates to a person’s agreement to participate in a clinical trial or medical intervention. It is governed by ethical and clinical standards, typically overseen by ethics committees and national legislation. This form of consent ensures that participants understand the purpose, procedures, potential risks, and benefits of the study, and that their decision to participate is voluntary, informed, and free from coercion.

By contrast, GDPR consent is one of several legal bases available for processing personal data under Article 6 of the General Data Protection Regulation. When special category data such as health information is involved, as it nearly always is in clinical trials, Article 9 also applies, requiring a separate condition to legitimise processing. GDPR consent is defined by a strict set of criteria: it must be freely given, specific, informed, unambiguous, and capable of being withdrawn at any time, without detriment.

These differences have practical consequences. While informed consent is ethically indispensable for trial participation, it may not always be the appropriate or reliable legal basis for processing personal data under GDPR. This is especially true in scenarios where the data processing is essential to comply with legal obligations, to perform a task in the public interest, or to fulfil the sponsor’s legitimate interests, provided that such interests are not overridden by the rights and freedoms of the participant.

Moreover, GDPR consent must be separable from clinical consent. Participants must be able to decline or withdraw their data processing consent without necessarily withdrawing from the trial itself, which is not always feasible in practice. As a result, many sponsors and ethics boards prefer to rely on alternative lawful bases such as public interest in the area of public health or scientific research purposes under Article 9(2)(j), supported by appropriate safeguards such as pseudonymisation, data minimisation, and robust governance controls.

Ultimately, it is crucial to treat medical and data protection consents as distinct instruments serving different legal and ethical purposes. DPIAs offer a valuable opportunity to document this distinction, justify the choice of lawful basis for data processing, and ensure that participant-facing materials clearly explain the difference. This approach not only enhances compliance but also reinforces transparency and respect for the individuals at the heart of the research.

Documentation, Transparency and Responding to Challenges

The value of a DPIA lies not only in its risk analysis but also in its documentation. Regulatory authorities may request evidence that the DPIA was completed and that appropriate mitigation measures were implemented. In high-risk cases where the DPIA indicates that the processing would still result in significant residual risks, the controller must consult the relevant supervisory authority before proceeding. While such consultations are rare in clinical trials, sponsors must be prepared to demonstrate that they considered the option if applicable.

Transparency is equally important. While the DPIA itself is not typically published, its outcomes may be summarised in participant information leaflets or data protection notices. These summaries should strike a balance between accessibility and accuracy, enabling participants to understand how their data will be used, protected, and governed.

Responding to data subject requests whether for access, rectification, or objection is another area where the DPIA can prove useful. It should outline the procedures for managing such requests, especially where joint controller arrangements are in place. Clarity on responsibilities can help avoid delays and ensure consistent communication with participants.

Supervisory Oversight: Ireland’s DPC and Broader EU Implications

The NCTOG guidance, reviewed and approved by Ireland’s Data Protection Commission, offers a structured and practical interpretation of DPIA responsibilities in clinical trials. While it reflects the Irish regulatory environment, its core principles are aligned with guidance from the European Data Protection Board (EDPB) and are applicable across the EU.

Sponsors operating multinational trials should be alert to national variations in ethics oversight, data protection enforcement, and health legislation. Some Member States impose additional conditions on processing health data, particularly in the context of public health or scientific research. These conditions may affect the DPIA content or consultation processes. Engaging with local DPOs and legal counsel is therefore essential in cross-border settings.

From a regulatory risk perspective, supervisory authorities increasingly expect organisations to demonstrate not only formal compliance but substantive accountability. A DPIA that is generic, outdated, or disconnected from operational practice will not withstand scrutiny. Conversely, a well-reasoned and evidence-based DPIA can serve as a shield in the event of complaints or inspections.

Looking Ahead: Embedding DPIAs in Research Culture

The ultimate goal of data protection law is not to obstruct research but to enable it in a way that respects the dignity and autonomy of individuals. In this sense, DPIAs are not a burden but a tool of empowerment. They prompt researchers to consider the ethical and legal dimensions of data use at every stage of the trial. They foster interdisciplinary collaboration between scientific, legal, and technical teams. They provide transparency and reassurance to participants who entrust their data to the research enterprise.

For sponsors and investigators, this means moving beyond minimal compliance and toward a culture of proactive privacy management. For DPOs, it means engaging with research teams early and often, providing pragmatic advice that supports both innovation and data protection. For oversight bodies and ethics committees, it means clarifying their respective roles and encouraging alignment across governance processes.

As the clinical trials landscape becomes more digital, decentralised, and data-driven, the importance of DPIAs will only grow. By investing in robust, context-sensitive DPIAs, the research community can strengthen its social license, mitigate legal risks, and uphold the foundational values of trust, transparency, and respect.

Ready to start your Data Protect journey with us?

XpertDPO