Data protection laws specify rules on how individuals’ information is used by organisations. The current relevant legislation is the Data Protection Act 1998 (the “DPA”).

From 25 May 2018, however, the DPA will be replaced by the new EU data protection framework which takes the form of a Regulation – the General Data Protection Regulation (the “GDPR”). Regulations bind all Member States in the EU, and are directly applicable in all Member States without the need for implementing national legislation.

As such, companies should re-examine their practices in order to ensure compliance with the GDPR. This is particularly the case for eHealth companies. By achieving compliance, you will be able to avoid penalties and high fines. In addition to that, you will be able to increase credibility in your product and/ or service, and to increase the opportunity to work with bigger health institutions or companies which usually impose high data protection standards on themselves and their partners.

The EU Commission defines eHealth businesses as businesses which involve the use of modern information and communication technologies to meet needs of citizens, patients, healthcare professionals and healthcare providers. These businesses necessarily control and/or process health data. Depending on whether you are a “controller” or a “processor”, the GDPR imposes different legal obligations. Moreover, as health data is regarded as “sensitive personal data” under the GDPR, a higher level of security is needed for the purpose of protecting such information.

With GDPR, there are new elements and significant enhancements which impose new and demanding requirements on organisations. For example, in the UK, while it is not a requirement under the DPA, companies will be obliged to consider data privacy at the initial design stages of all projects as well as throughout the lifecycle of the relevant data processing under the GDPR. These concepts are known as “data protection by design” and “data protection by default” respectively.

In the coming months eHealth Hub will be releasing a number of legal maps which will be assisting you in the implementation of GDPR. The maps will cover some of the following:

  • Sensitive Personal Data
  • Consent
  • Profiling
  • Data Housing and Storage
  • Overview of Principles

Make sure to look out for the upcoming legal maps in future communication with eHealth Hub! In the meantime, you can access our legal network for free legal advice. Register here or visit Legal and Regulatory section on eHealth HUB website.


This information was drafted by students from qLegal at the Centre for Commercial Law Studies, Queen Mary University of London: Chantal Davison, Victor Chan and Wolfgang Guggenberger. qLegal is a partner in the eHealth Hub Network.