Skip to content
All posts

Data management in clinical investigations - Part 2: General data protection regulation

Sensitive personal health data is being collected and processed in clinical investigations aiming to demonstrate the performance and safety of medical devices. To ensure that an investigation complies with the general data protection regulation (GDPR), systematic planning is needed. Labquality offers data management services as part of the wider CRO clinical investigations offering.

Compliance with data protection regulations "by default" and "by design" begins with study design, which is documented in the study synopsis, and later in the clinical investigation plan CIP.


CIP defines what data will be collected, for what specific, limited and lawful purpose, and how the accuracy of data is achieved. A common hazard is the negligence of data minimization, which is not only a GDPR principle but also a success factor limiting the technical complexity of the investigation implementation. Vulnerable study groups, the sensitivity of data collected, a large volume of data, and long storage duration are factors increasing data protection risks, which must be identified and mitigated with organizational (roles, processes, tasks, measures, instructions, reports) and technical measures.

Data management design documents specify the technical details of data protection implementation: variable listing, data flow model and server environment description. Authentication methods, encryption of data-in-traffic and data-at-rest, real-time security incident monitoring, storage of event log data and security auditing are known challenges for clinical investigations.

The possibility of data breaches should be taken seriously. Data breach response plan and breach notification process clarity are critical as there is only a 72 hours time window for reporting breaches to authorities without penalties.

To demonstrate compliance with GDPR (”accountability”) the sponsor must maintain documents, most importantly data privacy notice, GDPR sections in the patient informed consent form, data protection impact assessment DPIA and data protection agreements. When data protection considerations are built into the clinical investigation plan and data management documents data protection has a solid foundation in the investigation.

Learn more: Download now the free guide Data Management in Clinical Investigations  

This post was written by Labquality's Data Manager Markus Vattulainen. You can contact him for more information:

Share this article

Subscribe to our newsletter

Subscribe to hear the latest news in the industry and keep track of what's happening behind the scenes.