Data Protection & Information Security
We support our clients in building of data protection and information security compliant quality management systems for life sciences companies. We develop the required documentation together with the responsible teams, provide contract drafts and consent forms, and coordinate with data protection authorities. From GDPR compliance gap analysis to ISO 27001 certification support and privacy-compliant infrastructure for clinical trials, pharmacovigilance, and AI-driven development. We are ourselves ISO 27001 certified.
Data protection in pharma and medtech is not a generic IT problem. It involves patient data flowing across clinical sites, CROs, CDMOs, EDC systems, safety databases, and regulatory portals, often across borders, often through cloud-based tools operated by providers outside the EU. Ethics committees, health authorities, and data protection supervisory bodies all expect demonstrable compliance, and the consequences of getting it wrong range from trial delays to regulatory enforcement. We look at the whole data flow and advise on data protection compliance for all involved entities. We assess the full data flow, advise on compliance for all involved entities, support the documentation and authority interactions, and provide practical guidance on protecting personal data across the regulatory, technical, and operational dimensions.
Examples of How We Support
These are just examples to illustrate the kind of work we do day to day. The fastest way is usually a short call to understand your situation and discuss how we can help.
Third-country data transfers
Your clinical trial uses cloud-based tools with servers or support teams outside the EEA, and your ethics committee has raised concerns about data transfers to third countries. You need a compliant setup, fast, without switching platforms mid-trial.
Non-EU sponsor GDPR support
You are a non-EU sponsor running trials in Europe and need a GDPR representative, a Data Protection Officer, and compliant informed consent forms, data processing agreements, and privacy notices, but you don't have in-house privacy expertise for the EU regulatory landscape.
AI data compliance
You are deploying AI or machine learning in your development workflow and need to demonstrate that patient data, training data, and model outputs comply with both GDPR and the EU AI Act. You need practical anonymisation, access controls, and audit trails, not just a policy document.
Cross-border PV data protection
Your pharmacovigilance or post-market surveillance system processes personal health data across multiple countries, and you need a data protection framework that holds up across jurisdictions without creating operational bottlenecks.
Data protection program build
You don't have a data protection program at all, or you have one on paper that hasn't been tested, updated, or operationalised. You need someone to build or rebuild it properly, with the tools and processes to maintain it.
ISO 27001 and InfoSec support
A client, partner, or investor is asking for ISO 27001 certification, or you need to assess whether your vendors and CROs meet information security standards. You may also need someone to fill the Information Security Officer role without hiring for it full-time.
Understanding Data Protection & Information Security
"Data privacy" and "data security" mean different things to different people in this industry. This page covers organisational data protection, privacy compliance, and information security management: GDPR programmes, data protection coordination services, ISO 27001 implementation and auditing, clinical trial privacy setups, cross-border data transfer frameworks, and data governance for AI and real-world evidence.
This page does not cover:
- Medical device cybersecurity (IEC 62443, MDR cybersecurity requirements, SBOM documentation). For that, see SaMD and Cybersecurity.
- Clinical data management in the GxP sense (EDC setup, ALCOA+ principles, database lock processes). For that, see Clinical Development.
- Operational IT security (penetration testing, SOC monitoring, network architecture). We help build the management system and policies that govern your information security (including ISO 27001), but we do not deliver hands-on IT security operations. We work with specialist providers where needed.
Where these areas overlap with GDPR or data protection requirements, we coordinate across disciplines to make sure nothing falls between the cracks.
What We Do
Our data privacy and security work spans strategic setup, day-to-day operations, and ongoing compliance management. Here is what that looks like in practice.
Our Workstreams
We structure our data privacy and security work into defined workstreams, each with clear outputs and interfaces to the rest of your organisation.
GDPR Compliance Programme/Data Protection Coordination
Gap analysis, coordination RoPA creation, coordination with DPO on DPIA execution, data flow mapping, policy development, remediation planning and implementation.
ISO & DPR Services
Outsourced Information Security Officer for clients requiring the role under ISO 27001. EU and UK Data Protection Representative for non-EU sponsors. Coordinated DPO/ISO function where both roles are needed. Ongoing regulatory monitoring. Liaison with supervisory authorities.
Clinical Trial Data Protection
Privacy-compliant trial setup, ICF and CTA review for GDPR alignment, vendor and CRO data protection assessments, cross-border transfer mechanism selection (SCCs, adequacy decisions), ethics committee documentation support.
Privacy-Compliant Infrastructure
Design and operation of hosted environments for cloud-based clinical and safety systems: access-controlled, EEA-resident, and documented to satisfy ethics committees and supervisory authorities.
Data Protection Management Systems
Deployment and managed operation of a dedicated compliance platform, or integration into existing eQMS, covering ongoing RoPA reviews, DSR handling, incident management, and audit readiness.
AI & Data Governance
Anonymization and pseudonymization strategies for AI/ML workflows. GDPR-compliant data pipelines for model training. Documentation frameworks for EU AI Act compliance. Exploration of verifiable AI governance approaches for data provenance and audit.
ISO 27001 Implementation & Auditing
ISMS scoping and gap analysis, risk assessment and treatment planning, control implementation, policy and procedure documentation, internal audit programmes, supplier and vendor audits, certification preparation and support.
Where This Fits in the Development Journey
Data protection is not a one-time setup. Requirements evolve as your programme moves from early planning through clinical execution, submission, launch, and post-market operations. This overview shows where data privacy and security work typically applies across the lifecycle.
Discovery & Concept
Establish data governance principles and assess privacy implications of planned data collection. Define pseudonymization strategy early.
Preclinical
Set up vendor and CRO data protection assessments. Begin DPIA for planned clinical activities.
Design & Development
Design privacy-compliant infrastructure for clinical systems. Review ICFs and CTAs. Appoint DPO/DPR as needed.
Clinical
Operate and maintain privacy-compliant trial infrastructure. Manage ongoing DSR handling, incident response, and cross-border data transfer compliance.
Regulatory Submission & Approval
Ensure personal data in submission dossiers is handled compliantly. Support data integrity documentation for regulatory review.
Launch & Market Access
Set up pharmacovigilance and safety database privacy frameworks. Align PV data flows with GDPR requirements across markets.
Post-Market & Lifecycle Management
RoPA maintenance, periodic DPIA reviews, archiving and retention compliance, secondary use governance for RWE and AI.
Product Type Considerations
Data protection requirements shift depending on what you are developing. The types of personal data involved, the regulatory expectations around handling them, and the systems that process them all vary by product category.
Pharmaceuticals
Clinical trial data protection across multi-country studies. PV data flows. Cross-border transfers for centralised and decentralised procedures. GDPR alignment of ICFs and safety databases.
Medical Devices
Post-market surveillance data, including PMCF and complaint handling. Cybersecurity and data protection overlap for connected devices. UDI-related data handling.
Combination Products
Combined drug and device data flows. Multiple data controllers across the supply chain. Article 117 compliance with privacy overlay.
Biologics & ATMPs
High-sensitivity patient data in cell/gene therapy settings. Chain-of-identity requirements. Traceability data as personal data under GDPR.
Digital Health & SaMD
Processing of patient health data in real-time. GDPR and EU AI Act intersection. App-based consent management. DiGA/DiPA data protection requirements in Germany.
Sample Deliverables
These are typical outputs we generate:
GDPR gap analysis and remediation roadmap for a clinical-stage pharma company. 
Complete data protection programme (policies, RoPA, privacy notices, contract drafts for processors, consent forms, incident response plan). 
Privacy-compliant hosting setup for an EU clinical trial using a US-based EDC system, with access controls, data residency documentation, and ethics committee-ready privacy documentation. 
Outsourced Information Security Officer engagement covering ISMS ownership, risk register maintenance, internal audit coordination, and management review preparation. 
ICF, CTA, and vendor DPA review package aligned with GDPR, UK GDPR, and Clinical Trials Regulation requirements for a multi-country Phase III trial. 
Data anonymization protocol and technical implementation for secondary use of clinical datasets in an AI/ML development programme. 
EU AI Act compliance assessment for a SaMD product processing patient health data. ISO 27001 gap analysis, ISMS implementation package, and certification preparation for a clinical-stage biotech. Example Projects
Draft
US biotech sponsor: GDPR-compliant clinical trial setup for EU Phase II study
A US-based sponsor with no European presence needed to run a multi-site Phase II trial across four EU countries. The EDC platform was cloud-based with support teams in the US and India. We appointed the DPO and DPR, designed a hosted infrastructure solution that kept patient data within the EEA, reviewed and revised all ICFs and CTAs for GDPR compliance, prepared the privacy documentation for ethics committee submissions, and established vendor DPAs with all service providers. The trial was approved by all four ethics committees without privacy-related objections.
Draft
Mid-size EU pharma: building a data protection programme from scratch
A growing pharmaceutical company with multiple marketed products and active clinical programmes had no formal data protection programme. We conducted a full gap analysis, deployed a managed data protection system on a dedicated compliance platform (covering RoPA, DPIAs, DSR workflows, incident management, and employee training), and provided outsourced DPO services. The programme was operational within three months and passed an external audit within six months.
Draft
Medtech company: AI governance for a SaMD development programme
A medical device company developing an AI-powered SaMD product needed to demonstrate GDPR-compliant handling of patient data used to train and validate its algorithms. We established a data anonymisation pipeline, documented the data provenance and processing chain, and prepared the data governance framework to support both MDR technical documentation and EU AI Act compliance requirements.
Need Data Protection Support for Your Development Programme or Clinical Trial?
Tell us about your situation, whether it's a trial setup, a compliance gap, or an AI governance question, and we'll outline how we can help.
Contact UsKey Regulations & Guidance
The following regulations and guidelines most frequently shape our data privacy and security work:
Frequently Asked Questions (FAQ)
Do I need a DPO for my clinical trial?
If your organisation processes health data as a core activity (which most pharma and medtech sponsors do) a DPO is required under GDPR. Even where the formal threshold is debatable, most EU data protection authorities and ethics committees expect a named DPO. We provide outsourced DPO services with the specific pharma and clinical trial expertise that generic DPO providers typically lack.
What happens when my EDC or safety database provider has servers outside the EU?
Using a cloud-based system with infrastructure or support teams in non-EEA countries creates a cross-border data transfer under GDPR. This requires appropriate transfer mechanisms, typically Standard Contractual Clauses plus a Transfer Impact Assessment. Where ethics committees are not satisfied with the provider’s setup, we design hosted alternatives where we control the environment and keep data within the EEA.
How do I handle informed consent under both the CTR and GDPR?
The Clinical Trials Regulation and the GDPR treat consent differently. Under the CTR, informed consent covers trial participation. Under the GDPR, consent is one possible legal basis for data processing, but the EDPB recommends against using consent as the legal basis for processing trial participants’ data, suggesting legitimate interests or legal obligation instead. The two consent processes must be clearly separated in your ICF and privacy notice. We draft and review these documents to ensure both regulatory frameworks are properly addressed.
Can I reuse clinical trial data for other purposes, such as AI model training?
GDPR permits secondary use of personal data for scientific research under specific conditions, including appropriate safeguards, pseudonymisation or anonymisation, and a compatible legal basis. The specifics depend on the original consent, the nature of the data, and the intended secondary use. We design anonymisation protocols and legal frameworks that support secondary use while staying within GDPR boundaries.
What does the EU AI Act mean for data privacy in pharma development?
The EU AI Act creates additional obligations for high-risk AI systems, including many SaMD and clinical decision-support tools. These include requirements around data governance, transparency, human oversight, and record-keeping that intersect with, but do not replace, GDPR. We help you build a unified compliance framework that covers both regulations without duplicating effort.
Can you work with our existing data protection tools, or do you bring your own?
We operate a dedicated compliance platform that covers policy management, training, RoPA, DPIAs, DSR workflows, and incident management in a single tool. But we also work with paper-based systems, eQMS-integrated solutions, or your existing privacy tools. The platform choice depends on your organisation’s size, maturity, and preferences.
How quickly can you set up a data protection programme?
A baseline programme (gap analysis, essential policies, RoPA, initial DPIAs, and DPO appointment) is typically operational within 8 to 12 weeks. A comprehensive programme including employee training, vendor assessments, and full platform deployment takes 3 to 6 months depending on complexity.
Do you support ISO 27001 certification, and are you certified yourselves?
Yes to both. We are ourselves ISO 27001 certified, so we’ve built and maintain the same systems we help clients implement. We support the full path from gap analysis through ISMS design, control implementation, documentation, and internal audits to certification readiness. We also provide an outsourced Information Security Officer for clients who need the role but don’t have it in-house, and we conduct ISO 27001 audits of your suppliers and partners where you need independent assurance of their information security practices.