1) What is GDPR?

Essentially, the EU General Data Protection Regulation (GDPR) supplants the previous Data Protection Directive 95/46/EC, a formal set of guidelines concerning data privacy. The premise of the new regulation is to bring into line data privacy laws throughout Europe, while safeguarding the rights of EU citizens. Crucially, the GDPR aims to alter the way organizations handle and process sensitive data. The regulation is set to come into effect in May 2018.

2) How will it affect my organization?

The GDPR is effective across the EU, meaning it has a vast jurisdiction. If your company operates and is based within the EU, then it has to adhere to the law “as it applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location.”

Therefore, it’s imperative EU companies appoint a Data Protection Officer who is responsible for ensuring compliance to GDPR. For non-EU based organizations, it’s important to bring on a subject matter expert who can advise on the implications of the GDPR and how will affect business operations.

3) Will the Regulation change the way the industry collects and stores patient data?

In a word, yes. According to eugdpr.org, the regulatory landscape on data privacy will radically change as the jurisdiction will extend beyond Europe’s shores. For any international company that processes the personal information of subjects who live within the EU, they must comply with GDPR, regardless of where that company is based. So if, for instance, you’re a U.S. biotech conducting an oncology trial in Germany, any patient data gathered, must abide by the laws set out in GDPR.

However, the GDPR stipulates that data pertinent to EU citizens that are transferred outside the European Economic Area (EEA) must be protected “in a manner that is consistent with how personal data is protected in the EEA.”

4) Will Brexit impact EU GDPR’s implementation?

For U.K. companies conducting any form of business in Europe, it appears they are obliged to comply with GDPR, regardless of whether the U.K. leaves the EU. According to a recent article, if a company handles personal individual data within the framework of ‘selling goods or services to citizens in other EU countries,’ then said company must adhere to GDPR post-Brexit.

Furthermore, if a U.K. company’s activities are conducted within the country, then after Brexit there is a lot less clarity on the rules governing data processing. That said, the U.K. government has hinted at a desire to develop and implement similar guidelines once it has left the EU, although time will tell on what those laws will look like. The unclear nature of Brexit means U.K. companies need to be ready for any changes that will occur, and how it will impact the business.

5) What happens if companies fail to comply with the Regulation?

There is a tiered structure to penalties whereby companies can be fined differing amounts, depending on the severity of the infringement. If, for instance, an organization is guilty of not having satisfactory consent to process data, under the GDPR, they can be penalized either a maximum of 4 percent of their annual turnover or €20 Million, whichever is the greater amount. However, if a company has failed to have their records in order, or did not notify a data subject about a breach, they will be fined 2 percent of their turnover. Regardless of the severity of the breach, it’s important for companies to understand that the rules apply to both *data processors and controllers.


*” A data controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.”