alexa A Review on Impact of General Data Protection Regulation on Clinical Studies and Informed Consent

ISSN: 2155-9627

Journal of Clinical Research & Bioethics

Reach Us +1-947-333-4405

A Review on Impact of General Data Protection Regulation on Clinical Studies and Informed Consent

Giannuzzi V*#, Landi A*#, Bartoloni F and Ceci A
Fondazione per la Ricerca Farmacologica Gianni Benzi Onlus Via Nicolò Putignani, 133-70122, Bari BA, Italy
#Contributed equally to this work
*Corresponding Author(s): Giannuzzi V, Fondazione per la Ricerca Farmacologica Gianni Benzi onlus Via Nicolò Putignani, Italy, Tel: +39 080 2052499, Email: [email protected]
Landi A, Fondazione per la Ricerca Farmacologica Gianni Benzi onlus Via Nicolò Putignani, 133-70122, Bari BA, Italy

Received Date: Jun 22, 2018 / Accepted Date: Aug 21, 2018 / Published Date: Aug 24, 2018


To harmonise personal data protection laws throughout the Europe, the Data Protection Directive 95/46/EC has been repealed by the new European General Data Protection Regulation (GDPR) Reg. (EU) 2016/679. GDPR will allow the data protection of the considerable number of citizens of the European Union. In this way, the Regulation will effect also on clinical investigations, and specifically, on the information process to provide consent. This paper goes to elucidating the main changes derived by the GDPR and to giving practical information on how to deal with informed consent and assent documents in concurrence with the regulation. Special spotlights on paediatric research and secondary use have been provided.

Keywords: General data protection; Clinical research


The way everyone throughout the Europe think on personal data protection is shaped by the new European General Data Protection Regulation (GDPR) [1]. This law has replaced the former Directive 95/46/EC [2] designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy, and to reshape the way organizations across the region approach data privacy [2]. In fact, for the first time, a regulation applicable in all EU Member States issues requirements for protection of personal data and confidentiality. Before the entry into force of GDPR, recommendations and guidelines [3-7] were the only provisions applicable to data protection and privacy other than Directive 95/46/EC [2].

Information gathered from clinical studies, either interventional or non-interventional, are considered a “special” category of data whereby processing is necessary for scientific or research purposes. In this context, the data subject gives its explicit consent for the collection and processing of personal data, according to article 7. When a volunteer, patient, or subject participating in clinical studies signs the informed consent, it will clearly state what data is being collected and why. [8]

The GDPR [1] aims to strengthen the rights of individuals to be better informed about how their data are to be used and sets out clearer responsibilities and obligations on healthcare professionals and companies using such data. [8]. The most significant improvement is that for the first time, the need to get the informed consent from the subject to handle its personal data is made mandatory and applicable not only in clinical trials, in which GCP guidelines as well as many other rules must be complied with, but in all human studies and health-related activities’.

Notably, any request for consent must be given in a clear, intelligible, and easily accessible form, using clear and plain language (article 7). Obligations and commitments in the GDPR including those applicable to informed consent, are not new not only for companies [8] but also for research institutions and other stakeholders involved in the clinical research with different roles. However, in GDPR, the consent's conditions have been strengthened and in this way, the GDPR will effect on clinical investigations, as detailed by Chassang [9], and specifically, on the information process to give consent.

Controllers that currently process data in compliance with national data protection laws are not automatically required to completely refresh all existing consent in appliying the GDPR. Consent which has been obtained to date continues to be valid in so far as it is in line with the conditions laid down in the GDPR [10].

Numerous stakeholders gave key considerations and suggestions on this issue [11] that were likewise incorporated into the comments to a Public Consultation issued by the European Commission meant to revise the draft of Guidelines released by the Article 29 WP on the interpretation of "consent" under the GDPR [10].

This paper aims at providing practical information on how to handle informed consent and assent records in the framework of clinical research in concurrence with GDPR.

Information Required to Provide

Before the entry into force of GDPR, a number of information on data protection and confidentiality provisions were to be provided to the subject (or guardians/legally designated representative in the case of minors or incapacitated subjects). Among them, the type of information which is required to be gathered, the purposes of the processing, the duration of data storage for which the individual data are required, any transfer of personal data to a third country, the rights to request access or deletion of personal data, the right to withdraw consent.

Therefore, all these items were used to be included in the information sheet.

Now, according to GDPR [1] and Article 29 WP guidelines [10], for gathering the personal data, the controller ought to provide the subject not only with this information but also with a set of information about the main responsible figures for data handling (the controller, data protection officer, the recipients of the personal information), the main rights of the subjects, etc.

The point to note is that processors, defined by GDPR as who processes personal data on behalf of the controller, are not required to be named.

With regards to the subject’ rights, GDPR also require to specify the right to request rectification of personal data, the right to restriction of processing or to object to processing, as well as the right to data portability. The withdrawal of consent should be simple to do for the data subject according to GDPR - Article 7. Notably, in the scientific research, the right to erasure is not applicable if it likely renders impossible or seriously impairs the achievement of the research objectives. The subject is also informed about its right to lodge a compliant with a supervisory authority.

GDPR specifies that the appropriate safeguards related with the possible transfer of personal data to a third country should be mentioned according to GDPR - Article 5 (1f)).

More details are required about the type of planned de-ID measures (e.g. pseudonymisation, encryption) and of any automated decisionmaking (including profiling and according to Article 22), the further purposes for data processing, the duration of data storage.

These statements are in accordance with Health Research Authorities (HRA) guidance for data protection officers on data processing [12] and on consent in research [13].

In particular, time limit isn't given in the GDPR. How long exactly the consent continues to be valid will depend upon the circumstance, the scope of the original consent and the expectations of the data subject. [10] Data may be stored in a form which permits the identification of data subjects for no longer than is essential for the purposes behind which the personal data are processed (cfr GDPR - Article 5 (1e).

The GDPR does not issue the form in which data ought to be given. That implies that valid information may be presented in various ways, e.g. written or oral statements, audio or video messages.

Informed Consent

The GDPR clarifies the requirements for getting and demonstrating valid consent.

The controller ought to acquire the explicit consent to utilize the study data for the reasons expressed in the information sheet (or in alternate methods of communication).

GDPR requires that the consent should be given as an indisputable affirmative act developing a freely given, specific, informed and unambiguous indication of the data subject's agree to the processing of individual data relating to him or her, for instance, by a written statement, including by electronic means, or an oral announcement. This was already included in the previous provisions. Moreover, GDPR (Recital 32), specifies that silence, pre-ticked boxes or inactivity should not constitute consent. A written signed enunciation is not the only approach to obtain consent, and oral statements can be similarly used to get valid consent. In fact, the controller may encounter issues to exhibit that all conditions for valid consent were met when the declaration was recorded [10].

In clinical studies, the data subject's consent is given as a written declaration which moreover concerns the acceptance to participate. In the case of minors or incapacitated subjects, guardians/legally designated representative must provide consent on behalf of the data subject.

Thusly, GDPR issues now the mandatory requirement to present the request for consent to use personal data in a clearly discernible manner [1,10]. Accordingly, in this context two separate strategies to obtain the informed consent should be given:

1- Informed consent for research

2- Informed consent for handling of data.

Consent for personal data handling should cover all activities done for all purposes. In particular, when data processing is done for several purposes, the conditions for valid consent lie in granularity (i.e. the separation of these purposes and getting consent for each purpose).

Moreover, the consent can be pulled back by the data subject anytime in an easy manner. In case of withdraw of consent, GDPR introduces the possibility to continue to use data already handled for the purposes stated in the information sheet and consent form, and stops the processing of personal data, unless the data subject has been notified. The controller needs to demonstrate that it is possible to reject or draw back consent without any disadvantage (i.e. deception, intimidation, coercion or negative results if a data subject does not consent), for example, without leading to any costs for the data subject.

The original data might be kept to validate the clinical study if that research would be genuinely impaired because of the cancellation of data [10].

Condensing, the controller must apply [10]: Specification of purpose, Granularity, Clear separation of information related to data processing practices from information about various issues.

How to Prepare the Information Sheet and the Consent Form

In the light of these statements, as the information and the consent are given in writing in the context of clinical studies, the information sheet and informed consent form for the subject (or guardians/legally designated representative in the case of minors or incapacitated subjects) are likely to be updated to be consistent with the GDPR.

This should be done by including all the following items in the information sheet:

Information about the type of data which is aimed to be gathered;

Information about the type of planned de-ID measures;

Purposes of the processing and of future or additional uses other than that for which the individual data were collected and the legal explanation for the processing and further purposes;

The time-period for which the data will be stored (or if that is not possible at that point, the criteria used to determine that time);

Rights to request for the data access and deletion; unless the data processing may seriously impair the research;

Right to withdraw the consent at any time;

Right for the portability of data;

Right for rectification of personal data or use restriction of data processing or to not use their data for whatever purposes;

Right to lodge a complaint with supervisory authority;

The transfer of personal data to any third nation/party (where applicable).

Identity of controller (or its representative’s) and contact details;

Recipients/recipient categories of the personal information;

Contact details of data protection officer if applicable;

The legitimate interests pursued by the controller or by a third party if the processing is essential for the intent of these relevant interests;

Automated decision-making, including profiling, if any, and essential information about the method used and the envisaged consequences.

Furthermore, the form to get consent for data handling (from the data subject or from legal representatives/parents in the case of minors or incapacitated subjects), should include the followings:

Consent for processing of personal data according to the purposes stated in the information sheet for which consent is sought, in order to provide data subjects the possibility to choose which purpose they accept;

Agree to store data for the period communicated in the information sheet;

Awareness of the identity of the controller;

Awareness of the type of data going to be collected and used;

Awareness about the recipients of the data;

Awareness about the right to withdraw (it should be stated clearly);

Awareness about the right to ask for access to and modification or erasure of personal data or restriction of processing;

Awareness about data portability;

Know the use of the data for choices based exclusively on automated processing, including profiling;

Awareness about transfer of the personal data to third countries or international organisation (where ever applicable) and the appropriate safeguards.

Notes for Paediatric Research

With respect to paediatrics, as per GDPR, subjects aged over 16 years of age can give consent to process and utilize their own personal data (article 8). Conversely, as per the principles governing clinical trials, consent to participate in the study/trial can be granted by subjects aged more than 18; for younger subjects, consent is given by the guardians or the legal representatives of the kid. However, these dispositions ought to be compliant with the national laws. Member States may set up lower ages yet not beneath the age of 13 years to consent to process personal data. As an outcome, in the case of subjects aged in the range of 16 and 18 years, the consent to be enrolled in the clinical study is given from parents/legal representatives and the consent to process its own personal data from the subject.

GDPR also issues how to deal with the consent when teenagers achieve the time of lawful capacity. At the point when the data subject achieves the age of consent, the consent conceded by guardians/legal representative for the processing of personal data of children can be confirmed, adjusted or pulled back by the data subject. More in detail, if the subject does not take any action, consent given before the age of consent, will remain legitimate for personal data handling [1,10].

With reference to minors GDPR also recognises that children legitimize specific protection regarding their own data, as they may be less aware of the risks and of their rights in relation with the processing of personal data.

In case of minors, GDPR assumes that the 'right to be forgotten' is relevant particularly where the data subject has given his or her consent as a child and isn't totally aware of the risks related by the data processing, and later wants to remove such data. The data subject should be able to exercise that right notwithstanding its age and legal maturity.

Given that children merit specific protection, even if no additional specific arrangement on assent/agreement for minors is detailed, GDPR recommends that:

Where personal data processing is addressed to a child, any information and correspondence, should be in such a plain language that the child can easily get it;

Affiliations and other bodies representing controllers or processors may prepare/rectify/extend sets of code of conduct, to determine the application of this Regulation, such as with regards to the information provided for, and the protection of, children, and the manner by which the consent of the holders of parental responsibility over children is to be obtained;

Each supervisory authority will promote public awareness and understanding initiatives on the risks, rules, safeguards and rights related to the personal data processing.

Notes for Secondary Use

Secondary use of data occurs when data are used for a purpose different from the one for which they were initially collected.

With reference to future research and data re-use, we mentioned that data subject should know if any future and further purposes is foreseen for processing personal other than those for which the individual data were collected and those reasons. This is ruled by Article 5 (1b) of GDPR.

When further research purposes are not specified at the start of a human research program, research purposes can be indicated in more general terms and for specific stages that are already known to occur, and data subjects should be allowed to give their consent to certain areas of scientific research when concerning recognised ethical standards for scientific research.

Accordingly, research participants ought to give their consent for research purposes in a “less broad manner”. This implies, as beforehand stated, data subjects ought to get information about “process of personal data for purposes other than those for which they were collected and those purposes and that when further research purposes are not fully specified at the start of a scientific research programme, data subjects should give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research”.

If the data handling changes or advances extensively or if an extra reason is conceived, the first consent is not any more applicable and legitimate. In this situation, new and specific consent should be acquired. Article 29 WP prescribes that consent ought to be refreshed at proper interims, giving again all the information [10]. In the case of consent withdrawn, data not-fully-anonymised data, i.e. personal data and biological samples, cannot be further used by the controller and any other third party.


Taking everything into account, the General Data Protection Regulation has impacted on clinical research, and on the informed consent and assent process. This is to be read with Article 29 WP guidelines on consent.

In the context of clinical research, new information must be given in the information sheet and in the consent form. Specifically, information on subject' rights on personal data handling, further process of personal data, data storage period and contact information on the data protection officer must be incorporated. The need for tracking the data exchange results even more relevant in order to apply the right to be forgotten. Notably, GDPR makes the right to erasure not applicable if it likely renders impossible or seriously impairs the achievement of the research objectives. In this way, the regulation leaves the responsibility to evaluate how much the processing of personal data impacts on the research to the controller, and therefore if this right is applicable. This is ruled for the first time at EU level in a harmonised way and for all clinical studies, both interventional and non-interventional.

The GDPR does not issue the form in which data ought to be given. That implies that valid information may be presented in various ways, e.g. written or oral statements, audio or video messages.

Concerning the paediatric research, no particular provision on agreement/assent for minors is granted by GDPR. However, GDPR recommends special attention to children understanding of the data processes and finally issues how to deal with the consent when young people achieve the time of legal competence.

With reference to future researches and data re-use, as per GDPR research participants will should be allowed to give their informed consent for future research purposes in a broad manner, but trying to specify the areas of scientific research.

In case the data processing changes considerably or if an additional plan is envisaged, Article 29 WP proposes refreshing consent at fitting intervals, providing all of the information again.


Citation: Giannuzzi V, Landi A, Bartoloni F, Ceci A (2018) A Review on Impact of General Data Protection Regulation on Clinical Studies and Informed Consent. J Clin Res Bioeth 9:327. DOI: 10.4172/2155-9627.1000327

Copyright: © 2018 Giannuzzi V, et al. This is an open-access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium.

Select your language of interest to view the total content in your interested language

Post Your Comment Citation
Share This Article
Article Usage
  • Total views: 363
  • [From(publication date): 0-0 - Jan 21, 2019]
  • Breakdown by view type
  • HTML page views: 326
  • PDF downloads: 37

Post your comment

captcha   Reload  Can't read the image? click here to refresh
Leave Your Message 24x7