After the hiatus brought about by the pandemic, activity in the clinical trials sector is now growing, with a number of trials due to launch at the end of this quarter. Increasingly, participants in trials and partners in Clinical Research Organisations (CROs) are seeking assurance that a Data Protection Officer (DPO) has been appointed and organisations are taking privacy matters seriously.

With that in mind, here are our top 6 privacy considerations for biotech companies conducting clinical trials.

  1. Ensure ongoing contact with the DPO, so that you can demonstrate they are involved in any personal data related matters in a timely fashion. This should include the existence and good governance of a DPO mailbox where individuals and the regulatory authorities can send communication.
  2. Ensure you have conducted an analysis of required registrations of your appointed DPO with relevant Regulatory authorities, and that those registrations are appropriately and timely completed. In some countries it may be an offence not to register a DPO where needed!
  3. Review your existing privacy statements and policies to ensure you have covered all the data handling operations included in your clinical trial.
  4. Create robust records of your data handling operations, or records of processing activities (RoPAs) as they are known under the GDPR. RoPAs are critical documents that show that data flows have been properly identified, compliantly carried out and documented.
  5. Ensure that all clinical trials have gone through appropriate data protection impact assessments (DPIAs), that these are properly and transparently recorded and that risks are escalated to the appropriate decision makers.
  6. Ensure the right contractual clauses are in place with any third parties that handle personal data. This is especially important given the focus on data transfers post Shrems II. These arrangements should include considerations around data minimisation, transparency, accountability, security and consent. There should also be clarity on each party’s role – i.e. who is the controller and who is the processor vis-a-vis the personal data collected, and what it means in practice.

Systems should be put in place to ensure that these arrangements are monitored and updated on an ongoing basis. If you would like to find out any more about data protection considerations in clinical trials and our DPO services, please contact