It is important that non-EU clinical trial sponsors meet GDPR principles when conducting their clinical studies in Europe. Clinical trial sponsors should be aware not only of the principles of personal data protection, but also of the penalties for non-compliance. Following all requirements of the GDPR is essential for successfully carrying out clinical trials in Europe.
What Is GDPR?
GDPR stands for the General Data Protection Regulation. This European Union regulation protects the rights of EU citizens to privacy in regard to their personal information. The GDPR regulates how third parties collect and use personal data gathered in Europe. Moreover, it applies to all entities that collect personal data within the European Union and the European Economic Area (EEA), even if that entity is based outside the EU or EEA.
An EU regulation is a legal act that applies at the national level of EU-member states. When the European Parliament passes a regulation, that rule acts as law within each member state. Member states do not need to create their own law, although EU regulations are applied and enforced by local authorities. Within member states, EU regulations have the force of law.
One of the most ubiquitous consequences of the GDPR is the requirement that all websites shown in Europe provide detailed information about how they track visitors and that such tracking functions on an opt-in model. But this is just one aspect of the GDPR, which includes requirements that apply specifically to clinical trials.
What Are the Fines and Sanctions for Not Meeting GDPR Rules in Europe?
The most likely penalties for violating the GDPR are the temporary prohibition on processing future data in Europe as well as the payment of a hefty fine. The Data Protection Authorities in each EU and EEA member state are mandated to enforce the GDPR and do not hesitate to impose both sanctions and fines for not following its requirements.
Within this broad range, the Data Protection Authorities have been given the charge to penalize with fines that are “effective, proportionate and dissuasive,” according to the European Commission . Fines can be up to 20 million euros or 4 percent of a company’s total global turnover.
The Data Protection Authorities can also prohibit companies from processing data in Europe. The ban can either be temporary or permanent.
When issuing penalties for GDPR violations, the Data Protection Authorities take into account “the nature, gravity and duration of the infringement, its intentional or negligent character, any action taken to mitigate the damage suffered by individuals, the degree of cooperation of the organisation,” among other factors cited by the European Commission .
In the best-case scenario, the company will receive a reprimand and fine for a proven infraction. In the worst case, the company would be permanently prohibited from working in the EU but will also have to pay a multi-million euro fine.
Under the GDPR, companies can also be held liable for negligence if they are hacked. For example, in the case of a cyber-attack that results in a hacker viewing or accessing personal data, the EU will investigate company security practices. If they find that the company was lax in its cyber security, the company could face sanctions and fines. In Europe, companies that collect data have the duty to protect the rights of EU-citizens to the privacy of their personal data.
Fines and sanctions can apply to violations of any part of the GDPR, which covers every aspect of data collection and processing.
Are US Clinical Trial Sponsors Required to Comply with GDPR When Executing Their Clinical Studies in Europe?
Yes, the GDPR applies to US clinical trial sponsors when conducting clinical trials in Europe. Since the GDPR is exerted on any entity that deals with the personal data of people within the EU or EEA, no matter where that entity is located, it is employed in all clinical trials conducted in Europe. US sponsors executing clinical trials within the EU or EEA must comply with all provisions of the GDPR.
The EU has shown it can and will enforce the GDPR both in and beyond Europe. It has also demonstrated that its enforcement is not limited to big tech firms. For example, the Dutch Data Protection Authority fined the website Locatefamily.com 525,000 euros for failing to appoint an EU representative as required by Article 27. The location of the website is unclear, but it came to the attention of the Dutch Data Protection Commission following complaints from Dutch citizens about how their personal information was being used .
Europe takes the GDPR very seriously, so sponsors working within the EU must do so as well.
How Does GDPR Apply to Clinical Trials?
The section Clinical Trials Regulation sets out the GDPR’s specific requirements for clinical trials.
Under the Clinical Trials Regulation, sponsors of clinical trials are expected to “record, process, store and handle data in such a way that it can be accurately reported, interpreted and verified, while preserving the confidentiality of the records and requiring appropriate technical and organisational measures to protect information and personal data.” 
The Clinical Trials Regulation assumes that clinical trials follow the best practices, but its requirements also go far beyond industry standards. Essentially, clinical trials in Europe must be able to produce highly reliable and robust research data while protecting the rights of citizens in order not to have their personal information unnecessarily exposed.
The Clinical Trials Regulation expects the protection of personal data to be at the heart of data processing in clinical trials. Sponsors must also document how they have protected patient personal information in every step of the trial and data processing.
Sponsors also need to establish a legally justifiable basis for collecting and processing personal data. The GDPR distinguishes between the requirement for consent for a subject to participate in a trial and the requirements to be able to lawfully process personal data. Under the GDPR, informed consent is not the legal basis for lawfully processing personal data but only a safeguard for the patient. Within the context of the GDPR, the legal basis for using personal data includes necessity, public interest, fairness, and data quality. Clinical trials must document a legal basis other than informed consent for processing personal data.
Clinical trials will also have to distinguish between data processing related purely to research and data processing for the purpose of health and safety. These two main categories of processing activities have different legal foundations under the GDPR.
In general, the GDPR stipulates much more documentation and a significantly longer archival period than in the United States, to give an example. It also imposes other additional requirements. For instance, sponsors not based in the EU must have a designated Data Protection Representative to whom EU citizens can have recourse if they feel their data is being misused.
Sponsors should also be aware that the GDPR is enforced within individual EU and EEA member states by local Data Protection Commissions that have their own preferences in carrying out and applying the GDPR.
How Can Non-EU Clinical Trial Sponsors Ensure They Are Compliant with GDPR Requirements?
Relying on the expertise of a company specialized in European data protection law is the best guarantee for GDPR compliance. Specialists in this area are highly experienced in providing support to clinical trial sponsors through the requirements of the GDPR, individual EU member-state legislation, and regulatory guidance. These companies also have specific expertise in the interplay between the GDPR, the Clinical Trials Regulation, and good clinical practice (GCP) guidelines. They also handle all paperwork related to the GDPR and serve as the Data Protection Officer (DPO), among other important services.
A foundational first step towards GDPR compliance is to develop a solid records system to document personal data processing activities. Article 30 of the GDPR requires study sponsors to maintain clear and accurate records of their data processing activities. A company specialized in data protection can develop these records and implement internal processes to help sponsors operate trials that align with GDPR requirements.
These companies will also review and rewrite consent forms to comply with Articles 13 and 14 of the GDPR. They can add the required disclosures in either the body of the consent form or as an appendix. At the same time, these companies are sensitive to the requirement that informed consent forms be concise and written in plain language so that patients can easily understand them. These experts can also tailor informed consent forms on a country-by-country basis since each EU country has a different preference in terms of the sponsor’s lawful basis for processing personal data.
As an alternative to informed consent forms, experts in European data protection law can draft a standalone privacy notice that complies with the privacy notice obligations of the GDPR. They can either review and revise your current patient privacy notice or create a new patient privacy notice for your clinical trial in Europe.
The GDPR also requires a written and signed contract between the sponsor and each of its vendors that have the technical or physical ability to access clinical trial patient data or personal data of site staff. This typically includes contract research organizations (CROs), labs, and cloud software providers, among others. Compliance with this obligation is usually met by signing a data processing addendum with applicable vendors.
Sponsors should be aware, as well, that the GDPR will also affect what is required of vendors participating in a clinical trial in Europe. The regulation essentially mandates that the vendors who see or have access to the personal data of people in Europe also use technical and organizational measures that meet the high security standards required by the GDPR. These provisions must be included in the contracts or Data Processing Addendum signed with vendors. Companies experienced in GDPR can help sponsors negotiate these contracts with providers.
US sponsors running clinical trials in Europe should know that it is a good investment to get expert help to meet GDPR requirements.
 European Commission Directorate-General For Health and Food Safety, “Question and Answers on the Interplay between the Clinical Trials Regulation and the General Data Protection Regulation”
 Doyle Clayton Solicitors, “Failure to appoint an EU representative results in €525,000 fine” Lexicology
 European Commission, “What if my company/organisation fails to comply with the data protection rules?“