Clinical trials and GDPR: 5 common misconceptions and how to overcome them

In fast-moving clinical trial set-ups, General Data Protection Regulation (GDPR) governance and compliance can often seem like another layer of operational complexity. However, the challenge is rarely the regulation itself but uncertainty around how to interpret and apply it in practice. When expectations are not fully aligned across sponsors, CROs, and trial teams, this can increase risk and delay study timelines.  

This blog explores five of the most common GDPR misconceptions we encounter in clinical trials and outlines practical ways to move past them with confidence. 

1. Unclear ownership of GDPR responsibility
2. We only use pseudonymised data, so GDPR doesn’t apply to us 
3. We’re not based in the EU, so GDPR doesn’t apply to us 
4. The CRO can act as the DPO 
5. We can deal with GDPR governance closer to first patient in (FPI) 

1. Unclear ownership of GDPR responsibility

Clinical trial sponsors and CROs can often assume that the other party is primarily responsible for GDPR compliance. When GDPR ownership is unclear, practical problems tend to surface quickly. This can include conflicting privacy language between sponsor and CRO documents, delays to clinical trial agreements and informed consentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed. forms, and confusion during audits and regulatory inspections.  

Controller and processor roles and responsibilities 

In most clinical trial structures, sponsors typically determine the purpose of the trial, how the data will be collected, and how the results will be used. This places them in the role of data controller, with ultimate responsibility for GDPR compliance across the supply chain. Whilst the CRO may processA series of actions or steps taken in order to achieve a particular end. data on the sponsors’ behalf, accountabilityPerhaps the most important GDPR principle, which requires controllers to take responsibility for complying with the GDPR and, document their compliance. for ensuring data protection is built into the trial from the outset usually remains with the sponsor. 

In some scenarios, sponsors and CROs may also act as joint controllers for specific processing activities. 

Three steps to embed clear GDPR governance 

• Define controller and processor roles during trial design, not during contract negotiations, so accountability is clear from the outset 
• Align Privacy Notices, patient-facing materials, and CRO agreements so they tell one consistent data story to participants, partners, and regulators 
• Regularly review how trial data is handled across the trial ecosystem 

2. We only use pseudonymised data, so GDPR doesn’t apply to us 

Assuming GDPR does not apply because trial data is pseudonymised often leads sponsors to underestimate security and governance requirements. This can result in omitted data transferThe movement of data from one place to another. This could be, for example, from one data controller to another, or from one jurisdiction to another. safeguardsWhen transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of personal data. Organisations should ensure that data subjects' rights will be respected and that the data subject has access to redress if they don't, and that the GDPR principles will be adhered to whilst the personal data is in the..., incomplete patient-facing privacy information, and an over-reliance on CROs or sites to make compliance decisions on the sponsor’s behalf. 

Why pseudonymisation doesn’t remove obligations

Under current guidance, pseudonymisation does not remove GDPR obligations. Sponsors and their vendors can often ‘single out’ individuals in ways that directly affect them, such as pausing or discontinuing participation following an adverse event. This means the data remains identifiable in practice, even if direct identifiers have been removed at the site. 

Some trial activities are also identifiable by default. Participant reimbursement, insurance claims, concierge services, connected medical devices, and portal platforms often involve processing directly identifiable participant personal dataInformation which relates to an identified or identifiable natural person.. Sponsors also routinely process identifiable data about others involved in the trial, particularly healthcare professionals (HCPs), including CVs, financial disclosure records, and regulatory or disbarment checks. 

Crucially, a sponsor does not need to directly receive participant personal data to have GDPR obligations. By defining the purposes and means of processing through designing the clinical trial protocol, the sponsor typically remains the controller and retains accountability for how participant data is handled across the trial ecosystem.  

Three steps to manage identifiable risk 

• Map re-identification pathways across sponsors, CROs, sites, and vendors to understand where identifiability is reasonably likely 
• Ensure patient-facing information clearly explains the identity of the sponsor, the categories of any recipients, and the sponsor’s role in accessing and overseeing how personal data is processed 
• Include HCP processing when drafting data flow diagrams, Records of Processing Activities (RoPAs), contracts, and Privacy Notices

3. We’re not based in the EU, so GDPR doesn’t apply to us 

When organisations assume GDPR only applies to entities headquartered in the EU or UK, regulatory obligations are often identified too late. This can lead to missed EU/UK Representative appointment requirements, delays in ethics approvals and site onboarding, and contractual pushback from EU-based organisations.  

How GDPR can still apply

The GDPR has extraterritorial reach. This means that sponsors and CROs running clinical trials in the EU/UK can fall within scope regardless of where they are headquartered. Clinical trials inherently involve monitoring participants within those jurisdictions, which brings the data processing activity under the GDPR. In many multi-country trials, both the EU GDPRRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data (General Data Protection Regulation). and UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU. may apply at the same time, creating parallel regulatory obligations that must be managed together. 

GDPR applicability can also extend in less obvious ways. Appointing CROs, vendors, consultants, or technology providers established in the EU, UK, or other regulated jurisdictions may introduce additional privacy and regulatory requirements that were not anticipated at the outset. 

Learn more about the GDPR’s extraterritorial scope 

Three practical steps to meet your obligations

• Assess GDPR scope during country mix selection and site feasibility, not during late-stage contracting 
• Appoint an EU and/or UK Representative early where required and reflect this in patient- and regulator-facing materials 
• Determine whether a DPO is required and complete any applicable DPO appointment notifications with the relevant supervisory authorities 

4. The CRO can act as the DPO 

When a CRO is positioned as the sponsor’s data protection resource, or even as their DPO, independence can be difficult to demonstrate in practice. This can limit meaningful challenge on high-risk trial design and data processing decisions. It may also reduce credibility with regulators and ethics committees, and create uncertainty around accountability when handling breaches, complaints, or participant concerns. 

Why independence matters

The DPO’s role is to provide independent oversight of how personal data is processed by informing and advising the organisation, and by monitoring compliance with the GDPR. If a CRO delivering operational trial services is directly involved in those processing decisions, it can create a conflict of interest if they are also acting as the DPO. 

Three steps to avoid conflicts of interest

• Appoint an independent DPO or advisory function with clear reporting lines to senior leadership 
• Define clear escalation pathways for high-risk processing and trial design decisions so issues are raised to both the DPO and senior leadership before they become regulatory or contractual blockers 
• Involve the DPO early in trial design and vendor strategy, not just post-approval reviews 

5. We can deal with GDPR governance closer to first patient in (FPI) 

When GDPR governance is treated as a late-stage task, pressure tends to build at the point where timelines are least flexible. As a result of delaying GDPR compliance considerations, sponsors and CROs often face delayed trial start dates, last-minute document rewrites for sites and ethics committees, incomplete Data Protection Impact Assessments (DPIAs) for high-risk processing, and contract bottlenecks with vendors and trial partners. 

Why timing matters

The GDPR is not a final checkpoint. The processes, documentation, and governance required for compliance often sit directly on the path to site readiness, ethics approval, and contract execution.  

Informed Consent Forms (ICFs), data transfer terms, and DPIAs often require review by CROs, sites, vendors, and ethics committees. Each step introduces third-party dependencies that can add weeks to trial timelines if left too late. 

Three steps to stay on schedule 

• Build GDPR checkpoints into trial timelines alongside regulatory and clinical milestones, so data protection work progresses in parallel rather than at the end of the process 
• Start data mapping and DPIAs during protocol development to embed Privacy by Design into trial planning 
• Assess early whether additional appointments, such as an EU/UK Representative, a DPO, or specialist legal support, are required and factored into budgets and timelines 

Key takeaways

Many of the GDPR compliance challenges that delay clinical trials are not caused by the regulation itself, but by assumptions about who is responsible and when data protection should be addressed. In practice, accountability is shared across sponsors, CROs, and the wider trial ecosystem, and key compliance activities often sit directly alongside ethics approvals, contracting, and site readiness. 

Addressing data protection early, clarifying roles, and building governance into trial design helps avoid last-minute document changes, contractual delays, and uncertainty during audits or inspections. When approached in this way, GDPR compliance becomes less of a perceived obstacle and more of a foundation for smoother trial start-up and more predictable timelines. 

Concerned about compliance gaps in your clinical trial documentation? The DPO Centre has extensive experience supporting sponsors and CROs with practical, expert guidance across every stage of the trial. Get in touch with our team for more information. 

In case you missed it…

• Pseudonymisation under the GDPR: What the latest EU ruling means for organisations 
• Clinical trials part 3: GDPR considerations for Informed Consent Forms 
• How to choose the right lawful basis for clinical trial data processing