Something Powerful

Tell The Reader More

The headline and subheader tells us what you're offering, and the form header closes the deal. Over here you can explain why your offer is so great it's worth filling out a form for.


  • Bullets are great
  • For spelling out benefits and
  • Turning visitors into leads.

GDPR: Practical tips for the life sciences sector

Key learnings:

  • The General Data Protection Regulation (GDPR) will bring about significant changes to the EU data protection regime.
  • The changes are set to reshape the way in which businesses handle personal data.
  • Ashley Williams, Associate at JAG Shaw Baker, offers five top tips for life sciences organisations preparing for the GDPR’s introduction in May 2018. 

The General Data Protection Regulation (GDPR) takes effect on 25 May 2018 and introduces substantial changes to the EU data protection regime. The GDPR will reshape the relationship between businesses and customers and reform the approach to how businesses handle personal data. In our last post, we detailed out the key changes that will affect life sciences organisations. In this post, we provide our five top tips for life sciences organisations to adopt to assist with compliance prior to the May 2018 deadline.

1. Conduct a data audit

Before you can assess how the GDPR applies, you need to know what your organisation does with personal data. Start with the basics - the who, what, why, when, where, how approach will help map data flows.

2. Review consent procedures and privacy notices

Existing fair processing notices will need to be reviewed and redrafted. The process for obtaining consent will need to be reviewed to ensure it satisfies the new requirements (pre-ticked boxes or inactivity will not satisfy the GDPR requirements). Individuals will have stronger rights where consent is the ground relied on for processing. If there is another lawful ground for processing… use it.

3. Internal policy review

For those with limited resources, focus on the key changes that are likely to impact your business. New breach reporting obligations and accountability requirements are likely to trigger changes to internal policies. Global policies may need to contain country-specific provisions (a one-size-fits-all approach is unlikely to be sufficient).

4. Accountability – share the joy

Governance needs to go beyond the traditional “core” teams of legal, compliance, and information security and include all aspects of the business, most notably PR and marketing should be included to manage reputational damage. Remember your data protection officer (DPO) needs to be independent. Any managers who can influence the purpose or manner of processing will not be able to act as DPO. Consider external resources to manage costs.

5. Review and revise processing agreements

Focus on key data sets and material processing arrangements. Data controllers should take the opportunity to ensure the processor is also compliant with internal policies. Data processors should review the liability position and consider introducing liability caps to reduce exposure.  

Learn more about the key changes that will result from the introduction of the GDPR:



Ashley Williams
Written By
Founded in 2013, JAG Shaw Baker is a strategic law firm that advises entrepreneurs, companies and investors in high-growth markets including the life science, clean tech and digital technology sectors.

Add Your Response