Susan Walsh and Rachel Hayes

The healthcare and life sciences landscape is constantly evolving as organisations strive to harness rapid technological advances.

In parallel, a growing body of innovation and data-driven legislation at both the national and EU levels is emerging to regulate the sector. Clear and timely guidance is essential for industry players working to keep pace with this dynamic environment.

This month, we highlight two noteworthy developments for stakeholders navigating this space.

Data protection impact assessments in clinical trials

The National Clinical Trials Oversight Group (NCTOG), established by the Minister for Health to increase the number of clinical trials of investigational medicinal products in Ireland, has published welcome guidelines relating to responsibilities for data protection impact assessments (DPIAs) during clinical trials (here).

NCTOG aims to position Ireland as a high-performing country in clinical trials activity by identifying and addressing challenges to starting clinical trials.

The guidelines on DPIAs follow from the NCTOG’s interim recommendations of October last year (here), which identified that various interpretations regarding data protection arrangements, and in particular, responsibility for data protection documentation (such as DPIAs), can cause delays in the clinical trial sign-off process.

NCTOG has therefore published concise, reader-friendly guidelines which clarify organisations’ responsibilities in relation to DPIAs when setting up clinical trials. The guidelines outline obligations in relation to the following scenarios, whereby DPIAs are required:

• Scenario 1: The sponsor of a clinical trial, as the data controller, is responsible for undertaking the DPIA and for compliance with data protection laws and regulations, while the trial site (to the extent that it is operating in the capacity of data processor) is not so required. 

• Scenario 2: The sponsor and the clinical trial site are acting as joint controllers. In this instance, both organisations are responsible for undertaking the DPIA and must reach an agreement on how it should be carried out. Similarly, as joint controllers, both organisations would be responsible for ensuring the clinical trial’s compliance with data protection laws and regulations. 

It is important to note that the guidance confirms that local/hospital data protection officers and ethics committees are not responsible for reviewing DPIAs; however, ethics committees are tasked with reviewing the statement of compliance for the clinical trial approval process.

It is also helpful for organisations to be aware that the Data Protection Commission of Ireland contributed to the work of the NCTOG in a consultative capacity to assist with ensuring that data protection compliance is not an impediment to clinical trials being conducted in Ireland. 

The EU Commission consultation on classification of high-risk AI systems

Another important development for the healthcare and life sciences sector is the recent EU Commission consultation on the classification of high-risk AI systems under the AI Act (here).

The Commission is seeking input to guide its drafting of guidelines on high-risk AI systems, which it is required to publish in February 2026 in advance of the rules on high-risk AI systems in the AI Act taking effect in August 2026.

The guidelines will address the classification of high-risk AI systems, which are important for product safety under specified EU legislation (pursuant to Article 6(1) of the AI Act), and those that are deemed high-risk for their potential impact on human rights (Article 6(2)).

As several applications of AI in a healthcare setting are contemplated in each of these categories under the AI Act, the consultation is an important opportunity for stakeholders in the healthcare and life sciences sector to seek clarity on real-life applications of AI.

Organisations such as those undertaking clinical trials, for example, are encouraged to engage with the Commission via the consultation to ensure that the Commission guidance is practical and informative for the sector. The consultation is open until 18 July 2025.

Conclusion

While the regulatory landscape for healthcare and life sciences is becoming increasingly complex, regulators are aware of the challenges and opportunities within the sector. In response, they proactively publish practical guidance and create meaningful opportunities for constructive stakeholder engagement.

By participating in consultations and staying informed, organisations can help shape the evolving framework and ensure that future regulations are both effective and workable in practice.

• Susan Walsh is a consultant, Rachel Hayes is a partner and Louisa Muldowney is an associate at William Fry.