Patient Registry Owners: Key Highlights of new GDPR – General Data Protection Regulation


Data protection is an issue that we regularly discuss with clinicians, clients, patient registry owners and healthcare organisations.

And it’s with data protection in mind that we put this article together. If you are designing a registry, how you collect and store data is so important. And it’s about to get even more important.

Data protection laws around the EU differ significantly from country to country. Current law is based on Directive 95/46/EC (we’ll call this the Directive from now on) which is around since 1985. As it was a Directive, each member state interpreted the law differently so we have a patchwork of data protection laws.

This will change on 25 May 2018 when the EU General Data Protection Regulation (we’ll call this the GDPR from now on) comes into force. This GDPR will replace the Directive. It was initially published in January 2012 and adopted on 27 April 2016. Organisations holding data have only 19 months left to amend their data protection policies, procedures and rules before the Regulation is in force. As it’s a Regulation, it will be immediately applicable across the EU without individual member states having to implement national legislation.

We thought we’d share some of the most important points that relate to you as a patient registry owner and healthcare organisation. We’ve given reference information at the end.

1. The Definition of Personal Data
Under EU law, personal data can only be gathered legally under strict conditions, for a legitimate purpose. In addition, persons or organisations which collect and manage your personal information must protect it from misuse and must respect certain rights of the person which are guaranteed by EU law. This is the fundamental basis of the law.

The definition of personal data has been extended under the GDPR and is more detailed than the previous Directive. It now includes an identification number, location data and online identifier. So if any of those can connect back to a person, it’s included as personal data.

2. Extension of Sensitive Data
The GDPR extends the definition of sensitive data to include “genetic data" and “biometric data". This is in addition to data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life.

As with the Directive, sensitive data is afforded more protection and requires more stringent conditions to be satisfied.

3. Anonymised Data
Anonymised data, which is data that doesn’t relate to a person or to personal data rendered anonymous, is not considered to be “personal data" and therefore falls outside the scope of the GDPR.

4. Introduction of the Concept of Pseudonymisation
While we talk about and use the concept of ‘pseudonymisation’, the GDPR introduces it into the Regulation. The GDPR defines it as “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately, and is subject to technical [such as encryption] and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person" .

That’s the legalese. But in essence, personal data which has undergone pseudonymisation should be considered to be information on an identifiable natural person

However, pseudonymised data will be afforded certain relaxations from the requirements of the GDPR. So for example, where data is pseudonymised and encrypted, a company will not be required to inform the data subject should a breach occur.

5. Strengthened Notion of Consent
The GDPR introduces a higher bar for relying on consent. Like the Directive, the GDPR refers to “consent" and “explicit consent". The difference between them is vague as both now require some form of clear affirmative action.

The GDPR defines “consent" as “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her".

Again, that’s the legalese. But an example of such affirmative action include ticking a box when visiting an internet website rather than having a pre-ticked boxes, silence or inactivity. Those last three will not be sufficient enough to constitute consent.

The GDPR also includes more stringent conditions for information society services (e.g. online businesses) to rely on consent to process children's data. It requires service providers to verify parental consent to the processing of the child’s data where the child is less than 16 years old. Individual member States may provide by law for a lower age, so long as that age is not below 13 years old.

6. Data controller and data processor
The GDPR also continues with the Directive's terminology of data controller and data processor, which are used throughout the law.

A data controller is anyone who determines the “purposes and means of processing of the personal data.” It’s another way of saying the controller is the company or organization that makes all the decisions about initially accepting data from the data subject.

A data processor is then anyone who processes data for the controller. The GDPR specifically includes storage as a processing function, so that takes into account, say, cloud-based virtual storage.

The GDPR applies to controllers and processors. It places new legal obligations on processors, with the result that they will be share liability if breaches occur.

7. Operational outside EU
If your health or patient organisation is outside the EU but monitors EU residents, then the new Regulation applies to you too. This is a significant change to the law. The GDPR expands the territorial scope of existing EU data protection laws.

8. Significant Fines
There are new penalties introduced in the GDPR which include fines up to the higher of €20million or 4% of total annual worldwide turnover.

Information Sources

There are good sources of information to learn more about your responsibilities:

If you are a healthcare organisation storing or processing personal data from EU citizens, then we suggest that you look at the European Commission site for more information.

European Commission -

A&L Goodbody -

Latest News

Clinical Patient Management System for European Reference Networks: A Case Study

24 June 2021

Clinical Patient Management System for European Reference Networks: A Case Study The Clinical Patient Management System (CPMS) is a virtual consultation platform which enables healthcare professionals to present patient cases and collaborate with other healthcare professionals to provide diagnosis, care and treatment across borders. What are the European Reference Networks?…

Read More

Digital and Central: Treat rare diseases through digital networking across institutions

24 June 2021

Knowledge sharing at the Centre for Digitisation in telemedicine, germany and discussing CPMS OpenApp CEO, Con Hennessey, has been invited to speak about the Clinical Patient Management System (CPMS) at a the “Digital and central: Treat rare diseases through digital networking across institutions” online symposium.  Launched in 2017, CPMS serves as…

Read More

“Ireland’s Commercial Open Source Ecosystem” Opportunities

24 February 2021

How is Open Source driving innovation across global industries as well as within Ireland? Skillnet Ireland will be hosting their inaugural Open Source & Ireland’s Innovation Ecosystem Conference on Thursday, February 25th from 4-6pm GMT.  The agenda is packed full of speakers who are experts on the use of Open…

Read More


Avoca House,

189-193 Parnell Street.

Dublin 1, Ireland.

D01 H578

OpenApp is now hiring an enthusiastic self-starter to join a growing sales and marketing team in Dublin as a Senior Marketing and Business Development Representative! Details on the role and how to apply can be found here:

OpenApp is now hiring a Sr. Application Developer! Head to our website for more information and instructions to apply.

Our CEO, @ConHennessy, will be speaking about the Clinical Patient Management System (CPMS) next week at a the “Digital and Central: Treat rare diseases through digital networking across institutions” symposium. Learn more and register: #telemedicine

We have been building open source solutions for 18 years. #TBT to an interview of the late Mel McIntyre who founded OpenApp with the belief that “[open source] will help to remove the economic barriers to scalability and lead to more opportunities.”

#TBT to the Open Source & Ireland's Innovation Ecosystem panel discussion. We have been providing open source solutions for the past 20 years, and discuss some of our insights with other Open Source leaders in Ireland here: #opensourceireland #innovation

Load More...

Copyright © 2021 OpenApplications All rights reserved.

OpenApplications Consulting Ltd. Registered in Ireland No. 355595