Two Birds, One Stone: Informed Consent and GDPR


Al O. Pacino; Matthew Chandler

With the successful expediting of clinical research for COVID-19, many have questions about the future of clinical research compliance. The challenges of adhering to U.S. Food and Drug Administration (FDA) requirements and new regulations regarding the protection of personal data are ongoing. However, with emerging technology, clinical research executives and staff should be able to adapt more readily. Governments and clinical research stakeholders could work with sites to include clear data protection agreements required to fulfill the requirements of informed consent and the General Data Protection Regulation (GDPR). It is becoming more possible to harness the digital and decentralized shift of clinical research to better ensure compliance and consent.

Managing the Next Steps

Across the U.S., state legislatures are drafting and/or implementing localized versions of the internationally recognized set of laws known as GDPR. The regulations originated from the European Union (EU) Data Protection Board and outline the ownership of an individual’s right to his or her personal information.{1} The guiding principle of GDPR conveys the importance of data management for every subject’s protection and for researchers in EU member countries to safely use GDPR-compliant applications and protection systems. This impacts clinical research sites regarding their handling of subjects’ personal information.{2}

As localized GDPR laws are relatively new, and there is a lot of regulatory overlap between FDA informed consent guidelines and GDPR, many sites may be unaware of their compliance status. Sites able to demonstrate compliance for both sets of laws can leverage their compliant status while also furthering clinical trial progress across the globe.

When comparing the FDA requirements for informed consent to GDPR, there is significant similarity.{3} For example, the FDA states clinical research participants are entitled to “the confidentiality of information collected during the clinical trial [and] how records that identify the subject will be kept.”  This is akin to GDPR’s Article 5, which states, “[Data must be] processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.”

Utilizing the language from a compliant informed consent document to create a participant GDPR data protection agreement is a step forward in achieving dual compliance. Minimally, it would benefit sites to update the existing language in their informed consent documents to reflect their obligations in terms of handling a subject’s personal information.{1,3} It is important to note that research data findings obtained through the clinical trial process are exempt from the right of data access, outlined in GDPR’s Chapter 3.

Several sites could be at or near total compliance with GDPR due to their existing alignment with FDA informed consent standards. The FDA puts a strong emphasis on including information about the role of consent for clinical trial participation. On the topic of consent, GDPR has a detailed section commonly referenced in state laws, under Article 7 entitled “Conditions of Consent.” The section mentions how organizations handle the consent of subject’s obtained personal information. Article 7 states, “Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.”

When it comes to compliance, sites should be able to more easily implement protocols that allow for addressing both GDPR-like state laws and informed consent obligations. Sites can signal to other institutions with whom they work, such as sponsors and governments, that being in compliance with both sets of laws means they are better prepared for launching trials.{1}

Providing research subjects with a separate document to sign alongside informed consent, under a clear GDPR title, would be necessary as cited by GDPR’s Article 7: “If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.” Implementation of a specific document would allow for sites to demonstrate compliance for both GDPR and informed consent.

Continuing to Improve the Process

Digital solutions are becoming more common to advance the social progress being made by the global research community. For many clinical research and healthcare sites, paper-based systems and siloed portal systems that require many logins to conduct clinical trials are being phased out. One of the central drivers for the push to streamline online capabilities is the benefit of distribution capability that comes with single sign-on, cloud/multisystem databases.

Building a larger information system that could warehouse and disseminate regulatory electronic forms could simplify operations-related goals. Ideally, each major type of clinical research stakeholder would be able to access that type of information database from anywhere in the world for the shared goal of maintaining compliance.

Even with existing efforts to modernize the industry, it is becoming more evident the role of stakeholder collaboration is vital. Each stakeholder can benefit from an increased ease of regulatory management and access to up-to-date informed consent requirements. Access to a standardized template for informed consent and GDPR forms should become a viable solution for site sustainability.

An increasingly common practice in healthcare and clinical research sites is the use of electronic forms and signatures. A broader, adaptive solution for all could be having standardized regulatory documents, third-party technical assistance services, and educational courses available for all stakeholders from one source—this would be setting up a more even playing field for site success.

As our world becomes more interconnected, it is important to make sure we remain open to new industry possibilities. For some, interconnectivity and collaboration seem like a competition liability, but sponsors and contract research organizations are beginning to express interest and even implement more efficient and centralized systems, which were once seen as too risky to start. New collaborative systems allow us to designate responsibility, ensure accountability, and enjoy high-speed access to online learning. Some of the possible outcomes of having an institutional, unified effort are increased site sustainability and faster study start-up. Through increased standardization, everyone can benefit by reducing the stress of regulatory hurdles.

Sites that are open to more innovative business models and those willing to opt into standardized regulatory information access could allow leadership to focus more on team cohesion and study acquisition. If subjects and patients are able to supply their personal information on their phones or tablets, we should consider the abundance of opportunities and not just the initial costs.


Our way of life increasingly relies on new technology; a vast majority of our needs can be managed by simply using applications on our smart phones. One of our greatest capabilities is the ability to distribute an endless amount of information through the internet. To continue producing lifesaving products, it is imperative to harness connective, online tools to distribute the knowledge necessary for sites to succeed. A single location, website, or direct service should be made available to all sites so they can learn about regional privacy laws. Achieving FDA-compliant informed consent and following localized GDPR requirements allow for the opportunity to expand research globally while producing lifesaving products.

Internationally and domestically, social media companies and governments are continuously updating privacy and security standards to better protect individuals. Keeping up is going to require forward and visionary thinking. It is essential that executives use their experience and judgement to apply knowledge around laws that directly impact their research institutions.

Sites that can get ahead and officially declare themselves to sponsors as GDPR- and consent-compliant partners in research can leverage their status to gain an international competitive advantage. All clinical research organizations that can modernize in this way would also reduce long-term risk associated with the penalties and liabilities of noncompliance.

The goal should be to make GDPR and informed consent as easily manageable as possible. Change can sound like potential problems to some, but peace of mind is achievable with the simplified processes and education available through the tools at our fingertips.




Al O. Pacino is President at BlueCloud® by HealthCarePoint Professional Collaborative Networks, based in Cedar Park, Texas, and a former member of the Editorial Advisory Board for ACRP.

Matthew Chandler is Manager of Site Engagement at BlueCloud® by HealthCarePoint Professional Collaborative Networks, based in Cedar Park, Texas.


There are no upcoming events.