This is a single blog caption

5 Considerations for Data Protection in the Pharma Industry

There are enormous amounts of data in the pharmaceutical sector, which makes this industry one of the most important for high-quality data protection. Two years post the General Data Protection Regulation (GDPR), the Information Commissioner Office continues to fine companies who fail to fully protect their data.

The data protection issue within the pharma industry is two-sided. On one side, companies deal with public data through medical research and clinical trials. On the other side, are companies that deal with processing internal personal data of their staff, customers and suppliers.

The first step before processing data is to establish a lawful basis, a fairly simple feat for pharma companies whose most significant processing activities relate to their staff. However, for the companies that process “special categorizes of data, through research and clinical trials etc.,” a separate lawful basis must also be established. For example, local legislation may also need to be considered, whether this be local data protection laws or laws and regulations specific to the pharma industry.

The use of identifiable data makes data protection that much more important for the pharma industry. This means companies that process identifiable data “must consider the requirement for informed consent under the Clinical Trials Regulation (CTR) and how this interacts with consent under the GDPR.”

Below are 5 Data Protection Considerations for Pharma:

  1. For companies who process large amounts of special categories of personal data must appoint a data protection officer according to GDPR rules. Companies have the option to recruit a new employee or can hire an outsourced data protection officer.

  2. The GDPR has allowed individuals to gain more awareness and more say over his or her rights when it comes to his or her personal data, making it imperative that pharma develop careful processes when it comes to dealing with subject access requests.

  3. Another requirement of the GDPR is that controllers implement a written contract with their processors. Here, pharma must ensure that contracts with service providers have adequate protections in place to protect personal data processing.

  4. Pharma must be prepared to act fast and appropriately if a data breach does occur. It is worth noting that as special categories of personal data increase, so does the likelihood of data breaches.

  5. Think about all the pharma companies that operate internationally. Here, data protection complexity only increases but must work to ensure tight safety and controls are in place where data transfers are involved.

As pharma continues to have a key role in the healthcare sector, establishing high-quality data protection is key.


Kilburn, Elizabeth. “The Data Protection Issues Facing the Pharmaceutical Industry.” EPM Magazine, 21 May 2020, 


Leave a Reply