Industry

Life Sciences/Healthcare Research

Use Pseudonymisation-Enabled Data Processing to:

  • Satisfy Legitimate Interests Processing Requirements.
  • Align Innovation Business Plans and Practices.
  • Create an Environment to Foster Innovation.

Key Business Considerations

The European Data Protection Supervisor (EDPS) and the European Data Protection Board (EDPB) have released opinions on how the Clinical Trials Regulation (“CTR”) and the General Data Protection Regulation (“GDPR”) relate to each other. They have determined that “informed consent” from clinical trial participants for life science research purposes typically does not satisfy requirements for consent as a legal basis for processing personal data under the EU General Data Protection Regulation.

As a result, life science and health research organisations should take steps to comply with both regimes by satisfying “informed consent” requirements under the Clinical Trials Regulation and member state clinical trial laws while also supporting a non-consent legal basis under the GDPR, such as Legitimate Interest processing. Acting otherwise involves the risk of interrupting business operations, reputational damage, and potential GDPR enforcement actions and penalties.

In addition, the GDPR provides an exception to the purpose limitation principle for data processing for scientific, historical and statistical research. The GDPR requires controllers that process data for these purposes to implement “appropriate safeguards, … for the rights and freedoms of the data subject.” Specifically, controllers must adopt “technical and organizational measures” to adhere to the principle of data minimization. The only example the GDPR provides is for controllers to use Pseudonymization so that the processing “does not permit or no longer permits the identification of data subjects.”

Key Legal Considerations

For all of the reasons noted above, It is difficult to rely on the legal ground of consent for life sciences and healthcare research. This means that for the predictability of operations, it is prudent to use Legitimate Interests processing. Legitimate Interests processing provides benefits for data controllers wanting to lawfully use data for secondary processing and repurposing. Pseudonymisation safeguards used to satisfy Legitimate Interests “balancing of interests” requirements also helps to satisfy requirements for lawful processing of special category data under Articles 9(2)(j) and 89(1).

However, for Legitimate Interests processing to satisfy legal requirements, you must show that you are using “appropriate safeguards” that reduce the risk of data misuse, such as GDPR-compliant Pseudonymisation.

Anonos Pseudonymisation Technology

The problem is that until now, no data protection technologies were capable of supporting Legitimate Interests processing, by reconciling the conflict between data protection and utility when processing the personal data of customers to maximise lawful data value.

For example, conventional data protection technologies that support anonymisation, encryption, static token allocation, and differential privacy:

  • Significantly degrade the utility of data, distorting the accuracy and predictability of the insights you need;
  • Fail to deliver effective protection against unauthorised re-identification; and
  • Limit the further use of valuable data for non-primary purposes.

Click here to learn what other global companies have proven: that it is possible to retain up to 100% of the accuracy of analytical value when processing datasets protected using patented Anonos Variant Twins®.

Anonos state-of-the-art Pseudonymisation technology is superior to other data protection techniques because it helps enable lawful repurposing, distributed secondary processing and data sharing while delivering data utility equivalent to processing unprotected cleartext versions of personal data.