Skip Ribbon Commands
Skip to main content

Implementation of EU GDPR in Life Sciences

The EU General Data Protection Regulation (GDPR) takes effect on May 25, 2018. The regulation requires all public authorities and private businesses, including Life Sciences, to deploy sufficient IT security for the protection of personal data processed in the organization. Specifically, it requires an assessment of the organization's security level in relation to privacy. The purpose of the assessment is to identify specific related risks. On this basis, IT security controls shall be designed and implemented in the right places in the organization.


NNIT Data Protection Framework

To assess the risks associated with processing personal information, it will be necessary to map all of the relevant business processes, data types, systems, and external data providers. This includes processes pertaining to drug development, regulatory procedures, drug safety, manufacturing, and sales & marketing. The actual assessment of the organization's data protection level will be carried out only after these data flows have been identified.

NNIT utilizes the tool PRIME (Privacy Impact Evaluation). PRIME maps the data flows, provides an overview of where the most sensitive information is located logically and physically, and documents how well they are protected in processes and systems. PRIME is tailored to the new requirements and digitalization's new threats to privacy.


NNIT´s Five Phase Model for EU GDPR

NNIT's methodology for EU GDPR is organized in five distinct phases:

Phase 1: Planning of Risk Analysis

Use of PRIME is based on interviews with representatives from the line of business and IT. The first phase of our methodology focuses on defining the project scope and identifying and setting up meetings with relevant employees within the organization. The planning initiatives will take special needs within life sciences into account, e.g. requirements stipulated by GCP.


Phase 2: Risk Analysis

PRIME is based on the international security standards ISO 27005 and ISO 29100 and includes best practice methodology for risk analysis in the field of information security and protection of private information. As part of the risk analysis, we assess the risk of loss of data to unauthorized persons and the risk that data is changed wrongfully or lost as a result of IT security breaches.

Our methodology also includes a vulnerability assessment of the processes and systems in which personal data is processed – what checks have already been implemented and which ones are missing?

Based on the risk analysis observations, and the established focus areas, a plan is prepared on how the identified risks can be mitigated. The plan may include the following control areas:

  • Processing authorization and proportionality
  • Policies and processes
  • Access control
  • Deletion
  • Encryption
  • Logging Ownership
  • Data processors.



Phase 3: Specific Proposals for Solutions

For every control area where the risk analysis has found one or more issues, specific implementation solution proposal(s) are prepared with input from the customer, taking life science specific needs into consideration, including how changes might affect GxP systems. Solution proposals are prepared in collaboration with our clients and partners, which includes law firms and providers of technical solutions for access control, logging, and encryption. The goal is to correctly balance new behaviours around data and the use of existing new technology.

Phase 4-5: Implementation and Maintenance

NNIT has been working with Life Sciences consultancy and IT implementation for more than a decade, and we will be able to assist Life Sciences companies in implementing the solutions and legal improvements necessary to meet the EU GDPR requirements.


Please contact Martin Rother Breyen on MIRP@NNIT.COM if you have any questions.



Martin Rother Breyen+45 ​​Advanced Business Consultant Rother Breyen



Advisory & Methodology & Methodology
One Year with GDPR – Continuous Compliance is still a Challenge Year with GDPR – Continuous Compliance is still a Challenge
NNIT Strengthens Compliance with Identity and Access System Strengthens Compliance with Identity and Access System
Who has access to your confidential data? has access to your confidential data?
Identity and Access Management Consultancy and Access Management Consultancy
Identity and Access Management becomes a top priority due to the EU GDPR and Access Management becomes a top priority due to the EU GDPR
IT provides patients with a better overview provides patients with a better overview
NNIT's GDPR Agile Delivery Model's-GDPR-Agile-Deliver-Model.aspxNNIT's GDPR Agile Delivery Model
Implementation of SAP Information Lifecycle Management for GDPR of SAP Information Lifecycle Management for GDPR