consentIt is hard to miss, but as of May 25, 2018, the GDPR becomes effective. Although collection and review of personal data and clinical studies have gone hand-in-hand for decades and therefore I do not expect major changes, the devil tends to be in the details, and I wanted to re-emphasize some key aspect in this post.


The definition of what is considered private data will be even wider than before under the and includes information where a person can be identified indirectly:

“’personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”

So when dealing with health care data (which is what we do in clinical studies) even when data is (pseudo-) anonymized and there is no monitoring involved (hardly true nowadays) an Informed Consent is required. This for any type of clinical study including (borderline) observational studies, and I can’t help but wonder where that leaves us for retrospective data-analyses (also see my previous post on the GDPR)?

The GDPR concerns data of all EU citizens, meaning that any ‘party’ collecting or globeprocessing (clinical study) data from an EU person is subject to it, also when they are based outside of the EU. In such cases it is essential that the Subject Information Letter/ Informed Consent contains clear wording regarding transfer of study data to third countries or international organizations that may have different/ less strict data-protection regulations. Mind you, that when the BREXIT becomes effective this likely includes UK-based companies.

Informed Consent

Ensuring proper Informed Consent is a standard widely acknowledged key process when running clinical studies, so most of the responsibilities defined by the GDPR are not new for those involved in it. It is worth mentioning though that the conditions have been strengthened, and most notable that besides being adequate, data collected need to be relevant and limited, and the purpose of data collection should be explicit at the time of data collection:

“The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed”, and

“… the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data.”.

So when a volunteer or patient signs the informed consent, it should be clear what data is being collected, for what purpose, and for how long it will be stored: Study sponsors and CRO’s must make sure they are only processing and storing the minimum amount of data required for the purpose consented to, and special attention is required for any purpose beyond the clinical trial such as use of collected data for training or future research (hardly explicit I think).

This implies that existing subject information letters and consent models require review and modification where needed for any clinical study moving forward to ensure compliance with the GDPR.

The question is whether participants of clinical studies that started before May 25 2018, need re-consenting? The current thinking seems to be that such is not required, but you may want to review your Informed Consent Forms for aspects as mentioned above, specifically data usage beyond the clinical study itself (training, any future research, …) and duration of data storage.

Roles and responsibilities

The GDPR is more specific regarding data controllers and processors and their responsibilities:

“‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law”, and

“‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.

In other words, study sponsors (controllers), CRO’s, EDC providers, and Core Labs (processors) involved in clinical studies have their responsibilities spelled out in the GDPR. All should be aware of its content and possible implications, which means ensuring proper Informed Consent and tracking of the use and storage of the collected data throughout the clinical study accordingly.

Physician researchGenerally speaking responsibilities between the different ‘parties’ will be clear, but notably the GDPR includes a section regarding “joint controllers” (Article 26), so I think it is even more important that all parties involved, and  mind you that includes freelancers, clearly define (and document) their roles for the clinical study at hand.

Of note in this respect is also that the study sponsor can also be an investigator: Investigator sponsored clinical studies are no exception nowadays and responsibilities are often blurred for such studies as mentioned in my earlier post on that topic. Therefore I think it is of essence that any investigator is aware of the implications the GDPR when running a clinical study where data is collected from EU citizens and (s)he has both the responsibilities of the sponsor and the investigator.


In conclusion, when dealing with clinical studies the impact of the GDPR is probably limited since we have been implementing the Informed Consent process for decades, but you need to take into consideration 1. a wider scope that includes any type of clinical data-collection, 2. an Informed Consent that needs to be even more explicit, with special attention for data-use beyond the study at hand, and 3. a better specification of the responsibilities of the study sponsor and data processors involved as the consequences in case of a personal data breach can be huge.

Please feel free to contact me in case you are interested in a more in depth discussion regarding the above or in case you are looking for any support with your medical device study.

About Annet Muetstege - Visscher

My name is Annet Muetstege and I am a clinical research expert, based in The Netherlands, with over 25 years of experience in all aspects of clinical evidence planning and execution especially in medical devices. I am the co-founder of Applied Clinical Services.
This entry was posted in Uncategorized and tagged , , , , , , , , , . Bookmark the permalink.



  2. Pingback: A NEW VERSION OF ISO 14155: WHAT TO EXPECT? | Medical Devices Clinical

  3. Pingback: Informed Consent and Clinical Trials: will we ever learn? | Medical Devices Clinical

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s