Is AI Quietly Creating a GDPR Crisis in Clinical Research?

Generative AI is transforming clinical trials, but a failure to distinguish between pseudonymised and anonymised data is creating costly regulatory gaps.

Ask Diana Andrade what keeps global pharma compliance teams up at night, and she doesn't start with regulation in clinical research. Instead, she addresses a misunderstanding.

"The biggest gap and risk," she says, is the assumption that key-coded, pseudonymised patient data is not personal data at all. People think it’s therefore safe to use in AI tools without caution. That’s in fact a misconception. 

In an industry quickly adopting generative AI for tasks from protocol drafting to drug discovery, this misunderstanding is becoming one of the costliest compliance oversights in clinical research.

In the recent episode of The Discovery Loop podcast, host Shubhangi Dua, Podcast Producer and B2B Journalist at Pharmatica.io, sat down with Diana Andrade, Founder & Managing Director at RD Privacy and Data Protection Officer (DPO) for Biopharma and Life Sciences. They talk about the current state of data protection regulations and how enterprises can innovate responsibly.

As the founder and lead at RD Privacy, Andrade serves as a data protection officer for biopharma and life sciences companies dealing with GDPR compliance, cross-border data transfers, and privacy governance across several jurisdictions. 

Her career began in contracts at the contract research organisation (CRO) giant PPD clinical research business of Thermo Fisher Scientific. Eventually, she moved into privacy law, revealing a gap where many lawyers understood data protection, but few knew enough about clinical research to apply it correctly.

Also Read: 11 Clinical Trials Defining Pharmaceutical Strategy in 2026

What’s the AI Misconception Costing Pharma Companies

On the Pharmatica podcast with Dua, Andrade spotlighted two key AI misunderstandings she frequently sees among sponsors and CROs.

The first is technical. Teams confuse pseudonymization with anonymisation. Data that has been key-coded, stripped of clear identifiers but still traceable to an individual, is still considered personal data under GDPR. Using it in an AI tool does not change this classification, regardless of how the data is labelled internally.

The second is cultural and arguably more dangerous. Compliance teams are beginning to think AI can handle compliance on its own. "It's very hard with AI," Andrade says. AI adoption will continue to rise, and familiarity with these tools is now essential in the industry. However, this increases the need for strong governance. 

Pharma enterprises still require major human oversight to establish guidelines and oversee AI's actions.

In practice, this requires internal processes defining how AI can be used and active human oversight of every output. Andrade told Dua that you can’t trust everything AI produces without verifying it first.

Where AI Has Earned Its Place in Clinical Research

Andrade acknowledges significant value in AI tech across the clinical trial lifecycle. For instance, AI’s benefits include faster drafting of clinical research protocols, developing internal procedures that help smaller biopharma teams scale without increasing headcount, and analysing trial data for new drug development leads.

However, the RD Privacy Managing Director is wary of using AI without supervision. She noted that each of these use cases involves feeding an AI system with sensitive material from business-confidential information and personal data, despite the data being key-coded. This combination is why she argues that pharma compliance programs must go beyond GDPR and specifically address emerging AI regulations, rather than treating these as separate issues.

Why Every Pharma Company Needs a Dedicated DPO?

Andrade advises pharma leaders that every biopharma enterprise needs a data protection officer or someone specifically responsible for its global privacy program, no matter its size.

The reason is the structure of clinical trials, which can’t be contained in one country. They start in one controlled area and then expand rapidly. The legal basis for processing patient data can entirely change when moving from one country to another. In some markets, patient consent is necessary; in others, the sponsor's legal obligations and legitimate interests come into play, needing a documented legitimate interest assessment to ensure these interests do not violate patients' rights.

Andrade believes that while compliance may come across as a puzzle, it can be managed with one piece but becomes exponentially harder as trials move into new markets. Each new country adds pieces that must fit together. Without a DPO to manage this puzzle, she warns, "very quickly your clinical trial can become a mess."

She emphasises that the DPO role should be viewed as an ongoing necessity, not a one-time task. It's not about filing documentation away and forgetting it; it requires active involvement that evolves with clinical operations and needs support from every growing team within the organisation.

Also Watch: AI in Pharma: Hype vs. What Actually Works

How to Stay Up-to-Date in Pharma Regulatory Space & GDPR?

To assist privacy professionals in keeping up with a regulatory environment that spans many jurisdictions, Andrade recently launched RD Privacy Watch. This platform aggregates and summarises data protection news and guidance from authorities worldwide, links to sources, and provides a weekly digest of the most relevant updates, which can be filtered by jurisdiction.

Andrade created it to address her own need to stay informed in a fragmented global regulatory market. Recognising its value to the broader privacy community, she made it publicly available.

She also runs the RD Privacy Global Academy, a training platform to help teams implement data protection controls in their daily work. She noted the training currently available is GDPR-focused, with plans to expand into other jurisdictions.

Takeaways

  • AI is transforming data protection in clinical trials.
  • Pseudonymized data still requires careful handling.
  • Human oversight is essential when using AI.
  • Global clinical trials face complex regulatory challenges.
  • Training is crucial for compliance and empowerment.
  • Data protection is an ongoing journey, not a one-time task.
  • Privacy should enable innovation, not hinder it.
  • Understanding local laws is vital for cross-border transfers.
  • Trust in data protection is key for patient recruitment.
  • RD Privacy Watch is a valuable resource for privacy professionals.

Chapters

  • 00:00 Introduction to Data Protection in Pharma
  • 04:00 The Impact of AI on Data Protection
  • 11:50 Challenges in Cross-Border Data Transfers
  • 17:28 The Importance of Training and Compliance
  • 23:31 Launching RD Privacy Watch
  • 30:16 Navigating Clinical Trials and Data Protection

For more information on data regulations for clinical trials globally, head over to rdprivacy.com and reach out to Diana Andrade on LinkedIn.

Did you enjoy the content?

Why not support Shubhangi Dua by giving this content a like

Comments (0)

Enlarged image