Wissen - Life Sciences News - Topics - Downloads - Newsletter
Stewart Spears
Home | General Data Protection Regulation (EU GDPR)
January 31, 2017

General Data Protection Regulation (EU GDPR) New Data Privacy Laws & their impact on life sciences

In May 2018, the EU’s new General Data Protection Regulation (GDPR) will enter into force and replace former national legislation. This will affect not only organizations in the EU’S member states, but all organizations worldwide that collect or process personal data from EU citizens—thus, many Swiss companies.

Real World Data is playing an increasingly important role in life sciences. For example, wearables and mobile applications can record patient data, which enables them to monitor a medication when it is approved and when it is on the market. And this in turn allows them to guide the patient’s medical condition. This opens up new opportunities for pharmaceutical and medical devices companies, but also brings risks related to the protection of data from affected parties.

To counteract the challenges of possible data misuse and standardize protective measures transnationally, the EU will enforce the GDPR (General Data Protection Regulation), which replaces the applicable guideline 95/46/EC, on whose basis the member states have issued their own laws up to now. The GDPR builds on data protection principles documented in the guideline, but also contains new focal points.


General Data Protection Regulation (EU GDPR)
Here are a few innovations:
  • Rights of individuals: The GDPR strengthens the rights of individuals and sets clear provisions regarding the receipt and retraction of consent from the parties concerned for processing their data, such as the right to erasure (“right to be forgotten”), the right to data portability and the right to human intervention in the event of automated decisions.
  • Protective measures in data processing: Companies are obligated to introduce suitable technical and organizational measures which guarantee a level of data protection appropriate to the risk. In so doing, not only the state of the technology, the implementation costs and the reason for processing the data should be considered, but especially the probability of occurrence and impact of the risk in relation to respecting the rights of the parties concerned.
  • Obligation to inform in the event of data protection violations: If data protection is breached, the GDPR demands that such breach be reported to the supervisory authorities and the persons concerned, and stipulates tight deadlines for doing so. This innovation particularly affects the life sciences, since health data is considered a high risk.
  • Data protection—impact assessment: If there is a “presumably high risk to the rights and freedoms of natural persons,” the responsible party must perform asses in advance of the impact data processing would have. This investigation demonstrates how sensitive data is collected, processed and protected in accordance with statutory specifications.
  • Substantial new sanctions: Non-compliance with this regulation might incur a massive fine from two to four percent of the company’s annual worldwide revenue, or 10 or 20 million euros, depending on the severity of the violation.


The new legislation poses many challenges for companies. For example, if databases are large and complex, compliance with the reporting deadline of 72 hours is possible only if new processes are not only defined but automated in the systems.


Do you have questions regarding the new General Data Protection Regulation, or do you need support in evaluating measures for ensuring data protection and data integrity? Our experts would be glad to assist you!


Your Contact:

Stewart Spears

Global Head of Business Development

+41 61 717 82 00