Readying The Life Sciences Sector For GDPR

With the General Data Protection Regulation (GDPR) coming into effect on May 25, 2018, our IP Associate, Ashley Williams recently talked to Louise Fordham, editor of The Drugs & Dealers Blog with Biotech And Money about what the Life Sciences sector could do to ready itself for the coming regulation.

In the article, Williams outlines the impact of the increased focus on data protection on cross-border activities and transactions in life sciences, and talks through the steps companies can take to prepare for the GDPR. He also touches on the importance of tailoring compliance programmes, gaining senior-level buy-in, and understanding the GDPR exemptions that are relevant to a life sciences company’s business operations. Williams looks at the issue in eight key areas:

  • Harmonising data regulation
  • Increased data obligations
  • Understanding GDPR and relevant exemptions
  • Developing a tailored action plan
  • Getting senior level buy-in
  • Keeping data protection front of mind
  • Brexit and GDPR
  • Cross-border transactions and activities in life sciences

This is a truncated version of the article, you may read the full article, Readying the Life Sciences Sector for GDPR on the Drugs & Dealers Blog.

Harmonising data regulation

On 25 May 2018, the General Data Protection Regulation (GDPR) will take effect, bringing with it enhanced data privacy protections for those residing in the European Union (EU) and potentially hefty fines for non-compliance.

The new regulation provides data subjects with greater oversight on how companies process their personal data, where it is being processed, and the purpose of this, the right to obtain and transmit their data to another data controller, as well as the right for their data to be erased in certain circumstances. Among other measures, the GDPR will also require data breach notifications to be issued within 72 hours where such a breach is likely to result in a risk for the rights and freedoms of individuals.

One of the principal objectives of the GDPR is to harmonise data protection regulation across EU Member States. Ashley Williams, Associate at JAG Shaw Baker, says: “There are some welcome clarifications on conditions that were either ambiguous or where Member States may have taken divergent approaches.” One such example is pseudonymised data, such as key-coded patient data. “Under the current regime, they take a different approach across Member States as to whether that is personal data,” explains Williams. “The GDPR has clarified that is personal data and needs to be treated as such.”

While such harmonisation could provide some welcome clarity, certain aspects of the GDPR are expected to have a more direct and significant impact on the life sciences sector.

On the subject of GDPR and Brexit, Williams says for companies with UK operations; it is worth highlighting that the UK’s decision to leave the EU will not impact the initial application of the regulation.

The GDPR will come into force in the UK in May 2018 and is set to be converted into UK law through the European Union (Withdrawal) Bill upon its exit from the EU. Furthermore, the new UK Data Protection Bill, which is currently awaiting its third reading in the House of Commons, aims to ensure that the UK’s data protection provisions place it in a strong position pre- and post-Brexit.

In the longer term, however, companies could face increased complexity.

“Currently, [the UK] benefits from being in the EEA [European Economic Area] and, therefore, transfer from one Member State to the UK is much easier because each is considered to have appropriate and adequate safeguards in place to respect data privacy,” explains Williams.

“But when [the UK] is no longer part of that, the concern is if nothing is put in place then [the UK] may be treated as a third country, in which case international transfers to [the UK] will become more complex.”

This could have a particular impact on clinical trial sponsors and CROs, for example, where activities are spread across multiple territories.

Williams also addresses keeping data protection front of mind stating that while 25 May 2018 continues to loom large for companies, compliance will remain an ongoing issue.

“The regulation is very much set up for continual renewal,” explains Williams. “When you introduce new technologies or carry out new processing activities, for example, then you need to carry out privacy impact assessments, which are like a mini-audit, before you deploy that new technology or start that new processing activity.”

Of course, data protection is a much bigger issue than GDPR compliance alone, as has been demonstrated by the extensive media coverage of recent data privacy breaches. Reputational damage, and the risk this poses to share values will also help to maintain data privacy as a priority for businesses, says Williams.

A cookie is a small file of letters and numbers that we store on your browser or computer, phone or tablet hard drive if you agree. more information

INFORMATION ABOUT OUR USE OF COOKIES Our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience and also allows us to improve our website. By continuing to browse the website, you are agreeing to our use of cookies. A cookie is a small file of letters and numbers that we store on your browser or computer, phone or tablet hard drive if you agree. We use the following cookies: • Strictly necessary cookies. These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to return to a previous page. • Analytical/performance cookies. They allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily. The analytical/performance cookies are provided on our behalf by Google Inc. to aid with reporting of user behaviour, market research and improving website functionality. This user behaviour is analysed in order to improve this website. To see how this applies to Google Analytics, visit You can stop tracking by Google Analytics by visiting COOKIE DURATION The strictly necessary session cookies are a temporary cookie which remains in the cookie file of your browser until you close the browser. The other cookies will remain in the cookie file of your browser after the closing of the browser, and will become active again when you reopen this website. The different cookies have different expiration dates. Following expiry of a cookie, a new version of that cookie will be downloaded when you next visit this website, unless you have withdrawn your consent in the meantime. You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our website. Contact If you have any queries regarding this cookie policy please contact us at