Data Privacy Services Life Sciences EU GDPR Audit Training

The proposed changes to the UK Clinical Trials Regulations were approved in the House of Commons and House of Lords in February 2025.

The changes have now been shared with the Northern Ireland Assembly, and if approved, the 12 month implementation process will begin. This would see the new regulations coming into force in early 2026.

The UK clinical trials regulation update shall include:

guidance to accompany the new regulations
simplified means of seeking and recording consent
new guidance for public involvement
inclusion and diversity guidance

You can read more about this in the latest Clinical Trials update from the UK HRA.

For questions on UK clinical trials regulation, contact our UK consultant Julianne Hull at j.m.hull ( at ) pharmarketing.net

In March we welcome our 29th team member in the person of Lionel Le Floch. Lionel is a senior expert in Computerised System Validation ('CSV') and in Quality in the life sciences Industry.

Lionel is based in France and has a Master’s degree in Management and Global Quality from Versailles University, France. He has over 18 years' experience in IT Validation and IT Quality Assurance. Before joining PharMarketing, Lionel spent 7 years leading the development, execution, and maintenance of Computerized System Validation (CSV) strategies, policies and procedures at both a local site level and at an international level for a pharmaceutical depositary organisation which develops bespoke outsourcing logistic and customer service solutions for top Pharma and Medical Device companies.

Within this demanding regulated environment, Lionel went deep into all aspects of validation and qualification such as setting up protocols (IQ/OQ/PQ), supplier audits, CAPA and Change Control Management but also conducted risk assessments, system impact analyses, and gap analysis to identify and mitigate risks associated with local computerized systems.

Lionel has a versatile profile as he previously spent 11 years working for L'Oréal IT Operations as an Application Manager and Software Assurance Quality Manager where he enjoyed working closely with IT, operations, and other departments to train and provide guidance on system validation requirements and best practices.

He is passionate about football (one key criteria to join PharMarketing!), music concerts and travelling, and is the happy father of one daughter.

Lionel has already been assigned to a CSV project for one of our French clients.

Join us in welcoming Lionel to the team!

You can contact Lionel at l.e.lefloch ( at ) pharmarketing.net

PharMarketing was at Bio Europe Spring in Milan from 17 to 19 March 2025.

Hundreds of pre-clinical or clinical-stage start-ups convened at this major event to meet investors and raise money, or to in-license or out-license healthcare products.

In total 3,700+ life science leaders attended this congress.

We had a lot of interesting discussions with startup biotechs, medtechs, digital therapeutics and CROs from across the world.

Given the good results, we decided to attend the Bio International Convention in Boston from 16 to 19 June 2025: if you plan to attend, please let us know, we will be happy to meet and discuss.

In today’s globalised world, there are large amounts of cross-border transfers of personal data, which are sometimes stored on servers in different countries.

The protection offered by the General Data Protection Regulation (GDPR) travels with the data, meaning that the rules protecting personal data continue to apply regardless of where the data lands.

This also applies when data is transferred to a country which is not a member of the EU (hereinafter referred to as 'third country').

What should you do?

- Put relevant clauses in contracts with sub-contractors or recipients.

- Audit your sub-contractors and/or recipients before sending personal data to them.

Read the full opinion of the EU Commission:

https://commission.europa.eu/l....

For more questions on transfers of personal data between countries, contact Bertrand at: b.p.lebourgeois ( at ) pharmarketing.net

Latvia's Data Protection Authority ('DPA'), the Datu valsts inspekcija, issued very interesting guidelines for drafting a Data Privacy Impact Assessment ('DPIA').

As you probably know, it is mandatory to draft a DPIA if you process sensitive patient data: for example, clinical studies, registries, cohorts, pharmacovigilance, medical information requests, etc.

A DPIA can be also mandatory if you don't process sensitive personal data, but you collect or process large volumes of personal data, or if you are using new technologies.

The guidelines indicate when a DPIA doesn't need to be done and how to draft one if needed.

A DPIA is a risk analysis from the point of view of the data subjects; to say it differently, its goal is to evaluate the impacts on the private life of data subjects if there is a personal data breach.

A DPIA is NOT a risk analysis from the point of view of your company.

Both Controllers and Processors must draft a DPIA.

Although most Data Protection Authorities issued guidelines for drafting a DPIA already, including Must-Do lists (processings for which it is mandatory to draft a DPIA) and White lists (processings for which a DPIA is not mandatory), these guidelines bring a enw point of view on this matter.

At PharMarketing GDPR Life Sciences, we use the free PIA software from the French DPA to drat DPIAs: this software is vetted by all EU/EEA/UK Data Protection Authorities, and is translates in several languages. In addition, the French DPA provides supports it for free.

Read the article from the Latvian DPA: https://www.dvi.gov.lv/lv/jaun...

At PharMarketing, we appreciate that most of our readers are versed in biology, medical, chemistry, manufacturing, legal, regulatory, clinical operations, but few of them feel comfortable with IT:

So, we decided to start a series on 'IT for Dummies', to help you grasp key and useful facts about IT security in a simple way.

After discussing Best Practices with an External Hard Disk in Dec/Jan, and the key clauses to have in a contract with a SaaS software provider in February, let's now look at the NIS2 Directive.

The NIS2 Directive is a EU directive about Cybersecurity and entered into force in January 2023.

After entering into force in January 2023, Member States have to implement the NIS2 Directive into national law by 17 October 2024. At this time, not all EU countries did it.

The NIS2 Directive lays down the technical and the methodological requirements of cybersecurity risk management measures for critical entities and networks.

In Belgium the FAMHP, the Federal Agency for Medicines and Health Products sent an email beginning of March 2025 to all life sciences organisations, asking them to register under NIS2 before 18 March 2025. Any organization doing R&D or manufacturing or distributing health products needs to take the test.

And if the test says that they fall under the NIS2, then they need to register with NIS2 and to implement appropriate Cybersecurity measures. Also an annual audit by an external party is mandatory.

Also, they need to make sure that their supply chain does the same.

Visit the Belgium site for NIS2 here: https://atwork.safeonweb.be/to...

Wondering which EU/EEA countries mandate what for Cybersecurity?

Our CSV consultant Lionel Le Floch has drafted the list of cybersecurity portals for each EU country:

Feel free to contact Lionel at l.e.lefloch ( at ) pharmarketing.net

About 'GDPR Travels with Personal Data':

If an organisation A based in EU/EEA/UK sends personal data to an organisation B in a country outside EU/EEA/UK, the GDPR still applies to such personal data: yes/no

Yes, this is what the EU Commission calls 'GDPR travels with Personal Data; this means that organisation B must apply the GDPR principles to such Personal Data

2. Same as 1), but if B resends the personal data to organisation C also outside EU/EEA/UK, C doesn't have to comply with GDPR: yes/no

No: as per the principle that GDPR travels with Personal Data, C also must apply the GDPR principles to such personal data. Furthermore, B should check that C understands and complies with GDPR before sending the Personal Data to C. This is called an 'onward transfer'.

A question on International Data Transfers? Contact Bertrand at b.p.lebourgeois ( at ) pharmarketing.net

To send us a RFI/RFQ, a message, or to subscribe to our free GDPR Life Sciences Newsletter