Clinical trials part 4: Practical approaches to DPIAs

Data Protection Impact Assessments (DPIAs) help sponsors identify and address risks to participant data before a clinical trial begins. Under the UK and EU General Data Protection Regulation (GDPR), they are a mandatory requirement for high-risk personal dataInformation which relates to an identified or identifiable natural person. processing, which includes health information used in clinical research.  Getting data protection right is not just a regulatory requirement, but a critical part of running an effective and trustworthy trial.  

In practice, DPIAs are often treated as a compliance exercise rather than an essential decision-making tool. When completed too late, DPIAs have limited impact on study design. And when used in isolation from the wider trial lifecycle, opportunities to identify and reduce risk early are limited.   

In Part 4 of our clinical trials blog series, we explore the common challenges sponsors face when completing DPIAs, and how to approach them more effectively.  

Key takeaway: DPIAs deliver the most value for clinical trials when they are completed early and as part of an ongoing processA series of actions or steps taken in order to achieve a particular end.. They should be used to identify data protection risks, inform study design and data use decisions, and demonstrate compliance throughout.

• What is a Data Protection Impact Assessment? 
• Embedding DPIAs into trial design 
• Mapping your data flows  
• Understanding international scope 
• Focussing on risks to data subjects 
• Keeping your DPIA up to date

Missed parts 1-3?
Catch up on Clinical Trial Agreements (CTAs), Data Processing Agreements (DPAs), and Informed Consent Forms (ICFs).  

What is a Data Protection Impact AssessmentA formal documented assessment which allows decision-makers to identify, manage and mitigate any data protection risks associated with a project.? 

A Data Protection Impact Assessment (DPIA) is a documented risk assessment that allows you to identify and mitigate data protection risks associated with processing personal data.  

Under the UK and EU GDPR, a DPIA is required where processing is likely to result in a high risk to individual’s rights and freedoms. Clinical trials will almost always meet this threshold as they involve processing large volumes of sensitive personal data, complex data flows, and multiple parties operating across jurisdictions.  

Sponsors typically act as data controllersEntities (such as an organisation) which determine the purposes and means of the processing of personal data., determining how and why personal data is processed, and are therefore responsible for ensuring a DPIA is completed. However, it should be informed by input from clinical teams and vendors.  

More information on conducting DPIAs 

Addressing common DPIA challenges in clinical trials 

Despite being a legal requirement, DPIAs are one of the most frequently misunderstood and poorly executed elements of a sponsor’s data protection programme.  

Below are five key areas to focus on when completing a DPIA, along with practical ways to approach each aspect more effectively.  

1. Start DPIAs early in trial design

One of the most common issues is treating the DPIA as a box-ticking exercise and completing it at the end of trial set-up, just before ethics submission or regulatory review.  

By this stage, fundamental decisions about protocol design, vendors, and data flows have already been made, which leaves little room to implement meaningful mitigations.  

In practice, a DPIA should be started during protocol design, when decisions are still in flux and privacy considerations can be embedded from the outset. 

Three ways to embed DPIAs early:  

• Bring your Data Protection Officer (DPO) into discussions at the protocol and vendor selection stage 
• Use the DPIA to shape decisions as they are being made, not just to document them afterwards 
• Update the DPIA as the protocol, vendors, and data flows evolve  

2. Map your data flows across the trial ecosystem

Clinical trials involve a complex ecosystem of sponsors, Clinical Research Organisations (CROs), investigational sites, laboratories, technology platforms, and more — all handling personal data in different ways.  

Without a clear view of how data moves between these parties, DPIAs can quickly become incomplete or inconsistent.  

Data flow mapping is not a strict legal requirement, but it is widely recognised as best practice and should be developed alongside your DPIA to support a complete and accurate assessment. 

A visual data flow map can provide a shared reference point across teams, highlight gaps or missing vendors, clarify roles, surface international transfers, and even reveal previously undocumented processing activities.  

At a minimum, your data flow map should capture: 

• Categories of personal data 
• Parties involved and their roles 
• Systems and platforms used 
• Jurisdictions involved 
• International transferThe movement of data from one place to another. This could be, for example, from one data controller to another, or from one jurisdiction to another. mechanisms 

Review and update the map alongside your DPIA each time a material change occurs in the trial’s processing activities.  

3. Address international data protection requirements

Clinical trials are rarely confined to a single jurisdiction. A sponsor may be based in the UK, working with a CRO in the US, investigational sites across the EU, and technology vendors processing data in multiple locations. This creates a complex web of cross-border data flows. 

One of the most common gaps in DPIAs is failing to fully reflect this multi-jurisdictional reality. A well-developed DPIA should explicitly assess international and third-party arrangements to ensure all relevant obligations are identified and addressed. 

In practice, this means your DPIA should consider:

• Vendor management and due diligence 

Sponsors must be able to demonstrate that vendors handling personal data have appropriate technical and organisational measures in place, supported by questionnaires, audits, or similar assurance activities.  

• International transfers 

Where personal data is transferred outside the UK or EEA, the DPIA should identify the transfer mechanism used (e.g. SCCs, UK AddendumAn additional document that modifies, clarifies, or supplements the terms of an existing legal document without nullifying the original content., EU–US Data Privacy FrameworkThe EU-US Data Privacy Framework (EU-US DPF) is a set of principles and safeguards for transferring personal data from the EU to certified US organisations. The programme took effect on 10 July 2023, replacing the invalidated Privacy Shield, and the EU Commission has since deemed transfers made from the EU to certified US organisations Adequate. ), along with any supporting Transfer Impact Assessments (TIAs).  

• DPO appointment and GDPR Representatives 

Where organisations are not established in the UK or EU but process personal data within scope of the GDPR, they may need to appoint a Data Protection Officer and/or EU/UK Representative. The DPIA should assess whether these requirements apply, confirm appropriate appointments, and evidence notification to the relevant supervisory authorityAn authority established by its member state to supervise the compliance of data protection regulation., where required.   

• Transparency and Privacy Notices 

Jurisdictions involved in a trial affect what transparency information must be provided to participants, including local legal requirements and expectations. Ensure DPIAs align with Informed ConsentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed. Forms (ICFs) and Privacy Notices across each country. 

4. Focus on risks to trial participants

When completing a DPIA, sponsors and trial teams can often default to internal risk register approaches that focus on financial, operational, or reputational impact, rather than assessing potential harm to individuals. 

Under the GDPR, the focus must be on risks to data subjects. In a clinical trial context, this means assessing: 

• The nature of risk and potential harm to participants 
• The likelihood and severity of that harm before and after mitigation 
• The measures in place to reduce the risk  
• The residual risk, and whether it is acceptable 

Risks to participants could include disclosure of sensitive health data to employers or insurers without consent, use of data beyond the agreed scope of the trial, or unauthorised access to systems containing medical information.  

Frameworks such as Solove’s Taxonomy of Privacy can be helpful in identifying a broader range of potential harms, beyond obvious security risks.  

A well-developed risk assessment does more than meet regulatory requirements. It demonstrates that risks to individuals have been properly understood, challenged, and managed. 

To strengthen your approach, you should also: 

• Define a consistent risk scoring methodology 
• Assign ownership for each identified risk 
• Ensure mitigation measures are realistic and evidencable 
• Document decisions clearly, including where risks are accepted 

5. Keep your DPIA up to date throughout the trial

A DPIA should not be treated as a one-off exercise. As the trial evolves, processing activities can change, and the DPIA should reflect how those changes have been assessed and managed. 

The DPIA should be maintained throughout the trial lifecycle and revisited as the changes occur. Key triggers for review include: 

• Changes to processing scope, such as new data uses or data types 
• Changes in vendors or partners 
• Expansion into new jurisdictions 
• Security incidents or near misses that reveal unmitigated risk 
• Regulatory guidance or legislation updates 

Resolving open actions
It is common for some actions to remain open after initial sign-off. For example, you may have identified the need for a vendor Data Processing Agreement (DPA) but not yet implemented one.  

What matters is these open actions are tracked, assigned to an owner, and followed through to completion. As the trial progresses and open actions are closed, the DPIA should be reviewed, updated, and re-approved by the relevant stakeholders where appropriate.  

Summary

A DPIA should do more than document compliance. Used effectively, it helps shape how personal data is handled across a clinical trial. 

In practice, this means supporting better data flow design, identifying risks earlier, and ensuring decisions are clearly documented and defensible.  

Sponsors who embed DPIAs into trial design and maintain them throughout the trial lifecycle will not only meet their UK and EU GDPR obligations but also strengthen governance and create a level of oversight and documentation increasingly expected by ethics committees, regulatory bodies, and due diligence reviewers. 

The DPO Centre has extensive experience in supporting clinical trial sponsors with all aspects of data protection design and compliance, including the drafting and review of DPIAs. Get in touch with our team for more information. 

In case you missed it…

• Clinical trials part 1: Data protection considerations for Clinical Trial Agreements 
• Clinical trials part 2: Data protection considerations for vendor Data Processing Agreements 
• Clinical trials part 3: GDPR considerations for Informed Consent Forms