01 October 2018

GDPR: Key changes for life sciences organisations


Ashley Williams
Senior associate | UK

Organisations operating in the life sciences sector process huge amounts of sensitive personal data. However, recent studies show that a large number of organisations aren’t aware of the changes ahead resulting from the EU data protection overhaul and the GDPR, which will take effect from 25 May 2018. Given sanctions of up to €20 million or four percent of annual worldwide turnover (whichever is higher) can now be imposed for serious breaches, this should be a boardroom issue for organisations.

Key changes

Scope: The GDPR will apply to the processing of any data relating to an identifiable person. Genetic data and biometric data are expressly called out as sensitive personal data for which more stringent requirements apply. The GDPR also clarifies that pseudonymised personal data, for example, key coded data, should be treated as personal data.

Territorially, the scope of the GDPR has widened and it will apply to non-EU organisations if they offer goods or services to individuals in the EU or monitor their EU behaviour (for example, online tracking).

Accountability and privacy by design: Organisations will need to integrate data protection compliance with the introduction of new technologies, with “high risk” processing requiring detailed privacy impact assessments.

Consent, enhanced rights and privacy notices: Consent must be “freely given, specific, informed and unambiguous” with clear affirmative action. The enhanced rights provide individuals with the rights to restrict or object to processing and the right to be forgotten in certain circumstances.

This poses considerable challenges to life sciences companies as any restrictions on processing personal data could have serious impacts on life sciences projects, especially clinical trials. The GDPR is also very prescriptive as to what must be included within privacy notices, such as details of retention periods, the legal basis for processing and notification of the enhanced rights.

Appointment of a data protection officer: Organisations whose core activities result in regular or systematic monitoring of individuals or large-scale processing of sensitive data will require a data protection officer (DPO). The DPO must be able to operate independently, report to the highest management level of an organisation, and have professional experience and knowledge of data protection law.

Processing agreements: The GDPR is rigid on what should be included within an agreement between the entity deciding the purpose and manner for which personal data can be processed (data controller) and the entity processing on behalf of the data controller (data processor). The new provisions include a direct obligation on data processors not to engage any sub-processors without prior written consent from the data controller. Given the number of players involved in most life sciences projects, procedures will need to be in place to manage this process.

Reporting data breaches: Breaches need to be reported to data protection authorities where it’s likely to result in a high risk for the rights and freedoms of individuals without undue delay and where feasible within 72 hours, and reported to affected individuals in certain high-risk situations.

Derogations: the missing piece of the puzzle

Where personal data is processed for scientific research purposes, Member States may provide for derogations in respect of certain rights, which most notably includes the ability to apply derogations relating to the right to restrict or object to processing.

The new UK Data Protection Bill (which houses these derogations for the UK) states that these enhanced rights will not apply to the extent they would prevent or seriously impair the achievement of the scientific research purposes in question. However, this bill will be under scrutiny in light of Brexit as to whether it provides satisfactory safeguards, which extends the period of uncertainty for those operating in or from the UK. This also means assessments will still need to be made at a local Member State level to comply with the derogations.

This article was originally published by LSX on 20 October 2017. Tech law firm JAG Shaw Baker joined Withersworldwide in August 2018 to create a unique legal offering that meets the needs of entrepreneurs, investors and technology companies across the world.

Ashley Williams Senior associate | London

Category: Article