The EEA and UK continue to pack a punch in the clinical trial arena – but what does this mean for sponsors from a data protection perspective?

The EEA and UK continue to pack a punch in the clinical trial arena – but what does this mean for sponsors from a data protection perspective


Choosing the right country or countries, sites and investigators for a clinical trial is critical for success in any pharmaceutical drug or medical device development programme.

In addition, getting to grips with local clinical trial and data protection regulations ensures the mitigation of data breaches and protects your data subjects’ privacy. Thus, avoiding costly fines and sanctions that, at best, could delay your trial and, at worst, stop it all together.

Second only to the United States, Europe ranks highly in the number of global clinical trials conducted. In August 2023,, a web-based US registry of clinical trials (drug, biologic and device), reports 164,498 registered clinical trials in the US and 132,152 in Europe, as shown in the number of clinical trials by country infographic above.

Europe may seem small, considering only about 9% of the world’s population lives there – but it’s the second largest region by the number of studies conducted, with 93% of clinical trials in Europe hosted within the European Economic Area (EEA) and the UK.

In this article, we look at why sponsors include the EEA and UK in their clinical trials strategy for pharmaceutical, biotechnology and medical device products despite facing one of the world’s toughest data privacy and security laws, the GDPR, and why smart sponsors seek early advice from a data protection and privacy consultancy.

Europe has long been an attractive location for pharmaceutical companies conducting clinical trials. But what drives a sponsor to choose a country/site for their study?

The factors that a sponsor considers when deciding to execute their studies in a particular country or countries are multiple, including:

  • Regulatory and ethical approval processes and their timelines
  • Access to a specific patient population
  • Recruitment potential and speed
  • Site capabilities, staff qualifications and experience
  • Project costs

But with one of the world’s toughest data protection laws, why do sponsors choose the European Union/EEA and the UK for their clinical trials?

With a combined population of over 525 million, the EEA and UK offer several advantages for single or multicentre clinical trials, including:

  • Access to a high-quality scientific ecosystem
    Europe has a host of ready-made, high-quality scientific sites for clinical research and clinical trials giving access to world-leading academic centres of biopharmaceutical excellence (research scientists and skilled research staff) and leading hospitals with world-class specialists in key disease areas that conduct trials based upon best practice diagnostics methods and standards of care.
  • Investments by international pharmaceutical companies
    Europe continues to perform strongly in attracting clinical trial investments. In recent years, international pharmaceutical companies’ interest in conducting clinical trials in individual European countries (e.g. Spain) has increased.
  • Regulatory considerations
    The European Union gives sponsors a significant advantage over other countries, as the European Commission (EC), Heads of Medicines Agencies (HMA) and the European Medicines Agency (EMA) work together to create unified standards that make it easier to run trials across multiple member states instead of just one country, accessing a wider patient population.

The COVID-19 vaccine trials proved that multinational trials offer benefits for patients, sites and sponsors:

  • Patients have access to better medical treatments no matter where they live
  • Sites and sponsors have access to larger and more diverse patient populations, making recruitment faster and more inclusive

To conduct clinical trials in the EU/EEA, pharmaceutical companies must comply with stringent regulations, most notably the General Data Protection Regulation (GDPR) and the Clinical Trials Regulation (CTR). The CTR imposes obligations related to establishing and conducting a clinical trial, and the GDPR imposes obligations in processing personal data.

Applying the two regulations in parallel can prove challenging, especially if this is the first time you have conducted clinical trials in the EU/EEA (or the UK). Seeking advice from a trusted data protection consultancy early can help ensure that all aspects of your clinical trial — and the data handling involved — are executed to current regulatory standards.

The introduction of the Clinical Trials Regulation (CTR) in early 2022 in the EU/EEA has brought countries together under a shared set of clinical trial standards, intending to make the EU an even more competitive location to conduct clinical research in the future, including the following:

  • a streamlined application procedure for all clinical trials conducted in Europe using a single EU portal and database, the Clinical Trials Information System (CTIS).
  • a single authorisation procedure for all clinical trials for faster and better assessment by all member states in the application
  • the extension of the silent agreement principle to the authorisation process provides legal certainty to sponsors and researchers, particularly SMEs and academics; and
  • greater transparency for clinical trial data with a searchable database for the public to learn more about the trials.
  • improved collaboration between Member States on assessing unexpected events in clinical trials, ensuring the highest safety standards for trial participants.

The EU General Data Protection Regulation is the world’s toughest privacy and security law. It is a large, broad, and far-reaching regulation designed to give EU/EAA individuals more control over how their personal data is collected, used, stored and protected. It also binds organisations to strict rules about using and securing the personal data they collect, including the mandatory use of technical safeguards like encryption and higher legal thresholds to justify data collection.

Since leaving the EU, the UK has adopted the GDPR in domestic law as the UK GDPR. It has been adapted for the UK’s legal system and forms part of its data protection landscape alongside the Data Protection Act 2018 (DPA 2018).

Compliance with the GDPR is a significant undertaking, particularly for pharma and biotech SMEs with limited resources. However, implementing and maintaining GDPR compliance is a much smaller expense than the potential financial sanctions if you ignore compliance requirements.

Failure to keep regulatory documentation up to date, particularly the record of processing activities, can be subject to administrative fines of up to 2 per cent of an organisation’s global annual turnover or €10 million.

For especially severe violations, non-compliance can attract heavier penalties of up to 4 per cent or €20 million, and enforcement action, where the penalised organisation will be under strict supervision as it addresses areas of non-compliance.

To be considered is the possibility of losing productivity and money through either trial disruption or, in the most severe cases, termination of your clinical trial altogether.

Non-compliance also puts you at risk of a data security breach and, consequently, potential claims by data subjects seeking compensation for damages. Data breaches within clinical studies and the public/media perception that some pharmaceutical companies value profit over people can leave data subjects vulnerable and erode trust within the industry. It is, therefore, not surprising that lack of trust remains one of the most cited barriers to public participation in clinical research.

However, through GDPR compliance, sponsors can regain participants’ trust in the clinical trial process by acknowledging these concerns upfront and addressing them through clear communication and increased transparency. GDPR compliance demonstrates to patients that you value them as true partners, not just participants.

Are you a clinical, regulatory affairs, or quality and compliance professional who understands your country’s data privacy and protection regulations but needs help applying the GDPR to your European data-processing activities?

What can a non-EEA sponsor do to ensure GDPR compliance while setting up a clinical trial?

Setting up a clinical trial may take 6-8 months. But the GDPR applies when you start collecting and processing personal data from anyone, including staff, in the EEA or UK (in the case of UK GDPR). If you’re recruiting investigator sites or starting to put agreements and contracts in place – these activities process personal data and fall within the scope of the GDPR.

The number one piece of advice and the smart choice for any pharmaceutical SME sponsor is to take the time to identify a trusted data protection consultancy – a trusted partner who can support you with their services and advice from the early planning stages of your trial. They can help ensure that all aspects of your business comply with the most recent data privacy and protection regulations, including:

Pharma Data Protection is a team of specialists in clinical trials and data protection passionate about providing pharmaceutical research worldwide with the tools, assistance, and expertise needed to safeguard data subjects’ privacy and ensure maximum GDPR compliance.
Thanks to our combined expertise, we pragmatically apply the GDPR legislation and support you in making the necessary changes to your policies, documentation, and processes.

Talk to us about how we can help you navigate GDPR