Organisations involved in clinical trials in European Union (EU) Member States, or the UK should consider whether they need to register with data protection regulators.

Before the General Data Protection Regulation (GDPR) entered into force in May 2018, the data protection laws in the EU (which at the time included the UK) required organisations to register with the local data protection regulator unless they were exempt from said registrations. These exemptions were typically set out by the regulators and were very restricted—usually limited to organisations that only processed personal data of their employees for basic employment management purposes.

The GDPR revoked the requirement for organisations to register with regulators and required instead that organisations that appoint Data Protection Officers should communicate their contact details to the regulators.

In practice, this means that organisations wanting to sponsor or execute clinical trials in the EU or UK must:

  1. Clearly define their role as a controller or processor.
    Traditionally, sponsors are identified as controllers and Clinical Research Organisations (CROs) are the processors, alongside the trial sites. However, these roles may change depending on the material relationships.
  2. Assess whether they should appoint a Data Protection Officer under the GDPR, UK or EU.
    Given the requirement for the organisations involved in clinical trials to collect and process health-related data, and to implement significant accountability measures to satisfy local ethics committees, appointing a DPO is generally a recommended approach.
  3. Identify where the clinical trial will take place and assess what registration is required in those jurisdictions.
    In some jurisdictions, like Portugal, the only entities that must register their DPO are the ones located in Portugal, not the foreign entities covered by extra-territorial applicability of the GDPR. Others, like the UK, require all organisations to still register with the ICO and then register their DPO as well.

Understanding where and how to register with Data Protection Regulators can be difficult but your DPO should be able to support you to navigate these requirements in a seamless manner.

HewardMills has conducted extensive research on DPO registration requirements globally. For further details, please contact us as dpo@hewardmills.com.

Please contact us at HewardMills if you want to discuss any of the points in this article, or find out more about our services.