Five Tips To Prepare Your Life Sciences Organisation For The GDPR

The GDPR deadline is May 2018. Are you ready?

A recent survey from Clearswift asked companies if they felt they had all the necessary processes in place to be compliant for the pending General Data Protection Regulation (GDPR). The top five sectors from that survey that indicated they were ready included technology and telecommunications (32%), education (31%), IT (29%), business services (29%) and finance (29%). But the survey also revealed that healthcare was the least likely to be ready for GDPR and have the processes in place to comply with the legislation.

GDPR takes effect on 25 May 2018 and introduces substantial changes to the EU data protection regime. The GDPR will reshape the relationship between businesses and customers and reform the approach to how businesses handle personal data.

Our Intellectual Property Associate, Ashley Williams, prepared five practical tips to help Life Sciences organisations plan for compliance with GDPR.

1 – Conduct a data audit

Before you can assess how the GDPR applies, you need to know what your organisation does with personal data. Start with the basics: the who, what, why, when, where and how approach, will help map data flows.

2 – Review consent procedures and privacy notices

Existing fair processing notices will need to be reviewed and redrafted. The process for obtaining consent will need to be reviewed to ensure it satisfies the new requirements (pre-ticked boxes or inactivity will not satisfy the GDPR requirements). Individuals will have stronger rights where consent is the ground relied on for processing. If there’s another lawful ground for processing… use it.

3 – Internal policy review

For those with limited resources, focus on the key changes that are likely to impact your business. New breach reporting obligations and accountability requirements are likely to trigger changes to internal policies. Global policies may need to contain country-specific provisions (a one-size-fits-all approach is unlikely to be sufficient).

4 – Accountability – share the joy

Governance needs to go beyond the traditional “core” teams of legal, compliance, and information security and include all aspects of the business, most notably PR and marketing should be included to manage the reputational damage. Remember your data protection officer (DPO) needs to be independent. Any managers who can influence the purpose or manner of processing will not be able to act as DPO. Consider external resources to manage costs.

5 – Review and revise processing agreements

Focus on key data sets and material processing arrangements. Data controllers should take the opportunity to ensure the processor is also compliant with internal policies. Data processors should review the liability position and consider introducing liability caps to reduce exposure.


This article originally ran in an online issue of Biotech And Money in October 2017.

A cookie is a small file of letters and numbers that we store on your browser or computer, phone or tablet hard drive if you agree. more information

INFORMATION ABOUT OUR USE OF COOKIES Our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience and also allows us to improve our website. By continuing to browse the website, you are agreeing to our use of cookies. A cookie is a small file of letters and numbers that we store on your browser or computer, phone or tablet hard drive if you agree. We use the following cookies: • Strictly necessary cookies. These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to return to a previous page. • Analytical/performance cookies. They allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily. The analytical/performance cookies are provided on our behalf by Google Inc. to aid with reporting of user behaviour, market research and improving website functionality. This user behaviour is analysed in order to improve this website. To see how this applies to Google Analytics, visit You can stop tracking by Google Analytics by visiting COOKIE DURATION The strictly necessary session cookies are a temporary cookie which remains in the cookie file of your browser until you close the browser. The other cookies will remain in the cookie file of your browser after the closing of the browser, and will become active again when you reopen this website. The different cookies have different expiration dates. Following expiry of a cookie, a new version of that cookie will be downloaded when you next visit this website, unless you have withdrawn your consent in the meantime. You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our website. Contact If you have any queries regarding this cookie policy please contact us at