Importance of addressing GDPR for life science companies

05 June 2018

The deadline for implementing the GDPR is approaching fast, but are businesses ready? Time is running out. After years of talk, the 25th May 2018 deadline for implementation of GDPR is now upon us.


The GDPR enhances requirements in a number of key areas:

  • It radically increases the territorial scope of EU data protections to include those organizations based outside of the EU that offer to sell goods or services to individuals or monitor the behaviour of individuals that reside within the EU
  • Businesses must notify regulatory authorities within 72 hours of personal data breaches that result in a risk of harm to data subjects
  • Appropriate security must be in place to protect personal data, and parties processing personal data on behalf of a data controller’s must be subject to robust due diligence as well as bound by contractual obligations to process the data lawfully
  • Data subjects must be advised how their data will be processed, and consent where it is required under the GDPR, must be freely given, specific, informed and unambiguous
  • Data subjects’ rights have been strengthened; people can ask to receive their data in a structured format to allow easy transfer to another data controller (‘data portability’), ask to have their data erased (the ‘right to be forgotten’) and object to profiling and direct marketing.


Increased use of big data, analytics and technology using individuals personal data are key industry trends for life science companies.

  • Life science companies look for technology partners to leverage current assets, generate cost saving synergies or extend pipeline products’ value
  • Improved health life sciences/ telemedicine, for example; tech apps for diagnostics, DNA profiling, personalized treatments, stem cells, genetic repairs
  • Focus on patient-centric product development and optimization of patient treatment regimes – individualized medicine
  • Aiding research and development; for example, to better understand target patient populations.

“Given how much this has been pushed by the government, brokers and other experts, its surprising many businesses aren’t more prepared”, says Sarah Stephens, Head of Cyber at JLT Specialty.

That’s all the more so, Sarah adds, given the well-publicized penalties for getting it wrong under GDPR; up to 4 per cent of worldwide revenues or EUR 20 million (whichever is greater) for the most serious breaches, and even EUR 10 million or 2 per cent for lesser breaches.


Cyber insurance can cover the costs associated with a breach, such as the response and potential third-party liability and any class actions that could result, although it won’t generally cover regulatory fines (as a matter of law).

If you would like more details on the insurance solutions that we are developing for our clients, please contact Suzanne Liberman, Managing Director – Life Sciences and Healthcare at