top of page
  • Writer's pictureMarcus Dunn

Common Data Protection Misconceptions

Updated: Aug 31, 2022

1. We don’t collect personal data.

Every business collects personal data, but international regulations define personal data much more broadly than US regulations, such as HIPAA. Personal data is any data that relates to a person (usually living but it depends on the country regulation). That not

only includes a name and other demographic or contact information, but also

information such as email contents, IP addresses, performance reviews, photographs,

survey results, computer analytics, and their images on CCTV in your office.

You also collect personal data from several sources. Here are just a few:

  • Employees

  • Contracts

  • Vendor employees

  • Physicians

  • Physicians’ staff members

  • Clinical trial subjects (even if you don’t have access to their name – see #4 below)

  • Ad board participants

  • Patient advocates.

2. We’re not operating in the EU, so GDPR does not apply to us.

Are you sure? You may not have a physical office in the EU but that does not mean that

you’re not operating in the EU as far as the EU is concerned. Here are some ways you

may be operating in the EU that you don’t realize still expose you to data protection


  • You’re running clinical trials in the EU (even if you have a CRO).

  • Your drugs are marketed in the EU.

  • You use vendors in the EU (such as manufacturers).

  • You have employees who live in the EU (even if you don’t have an office there).

  • You’re working to branch out into the EU (e.g., you’re a CRO or vendor trying to get EU clients/work).

3. We’re sure we’re not operating in the EU, so we’re set from a data privacy/protection standpoint.

You may not be operating in the EU or UK, but you may be operating in countries with

data protection laws and regulations. The US has the California Consumer Privacy Act

(CCPA, soon to be replaced with a more GDPR-aligned CPRA) which affects businesses

with employees or customers in California. Other countries such as Canada, Australia, and South Africa also have their own unique data protection laws and regulations that

you may need to consider.

4. Our data is pseudonymized/coded, so we don’t collect personal information in clinical trials.

Not so fast. GDPR and most other international data privacy laws consider

pseudonymized data to be identifiable even if you don’t have access to the code to re-

identify it. For example, if you’re running a clinical trial in the UK, and you don’t have

access to the list that states subject 100-001 is Jane Doe, as long as that list exists

somewhere (e.g., at the trial site), anyone handling that data (e.g., sponsor, labs, CRO,

etc.) has to treat that data like they would if it was attached to a name. Some countries,

like Australia, do not take this approach, but most countries with data protection laws


5. We’re a non-profit, so privacy regulations don’t apply to us.

Some US data protection regulations, like the CCPA, do not apply to non-profits, but

GDPR and other international data protection regulations generally do. While there are

some exceptions for work in the public interest, most regulations still apply to non-


6. We have a CRO in the EU (or another applicable country), so we leave data protection

to them to handle.

The answer to data privacy is never, “we let the CRO or vendor handle it.” This is so

important I’m going to say it again. The answer to data privacy is never, “we let the CRO

or vendor handle it.” While this may be confusing since we’re used to working in an

industry where we can transfer responsibilities to CROs and other vendors, data privacy

does not work like this. You, the sponsor/pharmaceutical company/controller, are

always primarily responsible for data protection. While you can put language in the

contract to require vendors and CROs to comply with data protection regulations, you

are ultimately responsible for ensuring that data is protected for which you’re the


Disclaimer: The information provided by this website is business information and not legal advice. Interactions with this website or its owners do not establish an attorney-client relationship.

32 views0 comments


bottom of page