Paul Gillingwater MBA, CISSP, CISM, RHCE

Paul Gillingwater MBA, CISSP, CISM, RHCE

Management Consultant

Paul Gillingwater GDPR, ISO27001, PCI/DSS, GRC, DPA18

Paul is a Managing Principal Consultant and registered DPO at Chaucer who has worked for more than 30 years as a cyber security and risk specialist and advisor to businesses, government and non-profits with their governance, regulatory and compliance requirements. Over the past five years he has focused on UK & EU data protection and is a passionate advocate of online privacy rights education.

New Rules for Clinical Trials in France

A look at the new rules applicable for clinical trials in France

Opinion Piece by Paul Gillingwater, MBA, CISM, CISSP

In July 2018, the CNIL (the French data protection authority) adopted new simplified rules that relate to the processing of personal data in health research, and in particular with clinical trials.

There are five new reference methodologies which are intended to simplify the legal framework for the processing of health data (they are numbered MR-001 through MR-006, excluding MR-002).

MR-001 “Health Research with Consent Collection”

For clinical trials specifically, MR-001 “Health Research with Consent Collection” would usually be applicable.

Any trial that doesn’t conform to one of the five reference methodologies must apply for authorization of its research directly with the CNIL.

Under the new regime, if you are assessed under the new simplified approach, you are obliged to appoint a DPO for each clinical trial.

Previously, the appointment of a DPO had to meet the standard “core activities consist of large-scale processing of special categories of data.”

The key difference here is that clinical trials (which obviously deal with the processing of special categories of data) do not have to be “large scale processing” in order to trigger the appointment of a DPO.

The distinction is made due to the frequent examination of genetical factors in such trials. It also applies to so-called “intervention” trials, and the use of drugs and other medications.

Updates to MR-002

MR-002 may follow suit soon.

The CNIL indicated that it intends to update MR-002 regarding non-interventional studies on in vitro diagnostic medical devices by the end of 2018 to oblige the data controller to appoint a Data Protection Officer (DPO) and inform the data subject when collecting personal data in order to comply with the GDPR.

As far as we are aware, France is the first of the E.U. nations which has made a DPO necessary under these situations.

However it seems likely that other states may follow their example, meaning it would be prudent for all sponsors of clinical trials to consider the appointment of a DPO, regardless of the number of participants.

Please click here for the full CNIL article.

Chaucer offers advisory services on GDPR, as well as DPO and GDPR Representative services. Please contact us on DataPrivacy@Chaucer.com or 0203 934 1099.

Paul Gillingwater MBA, CISSP, CISM, RHCE

Management Consultant

Paul Gillingwater GDPR, ISO27001, PCI/DSS, GRC, DPA18

Paul is a Managing Principal Consultant and registered DPO at Chaucer who has worked for more than 30 years as a cyber security and risk specialist and advisor to businesses, government and non-profits with their governance, regulatory and compliance requirements. Over the past five years he has focused on UK & EU data protection and is a passionate advocate of online privacy rights education.

Blog 08 Apr, 2020

Digital Transformation, Data Strategy, Journey to Cloud

Why Move To Cloud? - A Service Perspective

Charles Wright

Charles Wright

Data Strategy & Analytics Expert

Chaucer's AI specialist delivering data strategies and capabilities for Fortune 500 organisations. He is passionate about driving data led digital transformation to enable organisations to realise the benefits of machine learning and holds both an MBA and MA in Educational Leadership and Management.

Blog 06 Jul, 2020

Innovation, Data Strategy, Test

Chaucer Nominated For A MCA Award In “Data & Innovation In The Private Sector”

Chaucer

Chaucer

Experts in creating value from digital transformation and data to improve lives

Blog 18 Sep, 2020

Data Strategy, GDPR, Privacy, Test

What Comes After The Privacy Shield?

Paul Gillingwater MBA, CISSP, CISM, RHCE

Paul Gillingwater MBA, CISSP, CISM, RHCE

Management Consultant

Paul Gillingwater GDPR, ISO27001, PCI/DSS, GRC, DPA18

Paul is a Managing Principal Consultant and registered DPO at Chaucer who has worked for more than 30 years as a cyber security and risk specialist and advisor to businesses, government and non-profits with their governance, regulatory and compliance requirements. Over the past five years he has focused on UK & EU data protection and is a passionate advocate of online privacy rights education.

Chaucer Newsletter

Sign up to receive our weekly newsletter. You can unsubscribe at any time.

You can read our privacy policy and terms & conditions here.