Patient Registry Owners: Key Highlights of new GDPR – General Data Protection Regulation


Data protection is an issue that we regularly discuss with clinicians, clients, patient registry owners and healthcare organisations.

And it’s with data protection in mind that we put this article together. If you are designing a registry, how you collect and store data is so important. And it’s about to get even more important.

Data protection laws around the EU differ significantly from country to country. Current law is based on Directive 95/46/EC (we’ll call this the Directive from now on) which is around since 1985. As it was a Directive, each member state interpreted the law differently so we have a patchwork of data protection laws.

This will change on 25 May 2018 when the EU General Data Protection Regulation (we’ll call this the GDPR from now on) comes into force. This GDPR will replace the Directive. It was initially published in January 2012 and adopted on 27 April 2016. Organisations holding data have only 19 months left to amend their data protection policies, procedures and rules before the Regulation is in force. As it’s a Regulation, it will be immediately applicable across the EU without individual member states having to implement national legislation.

We thought we’d share some of the most important points that relate to you as a patient registry owner and healthcare organisation. We’ve given reference information at the end.

1. The Definition of Personal Data
Under EU law, personal data can only be gathered legally under strict conditions, for a legitimate purpose. In addition, persons or organisations which collect and manage your personal information must protect it from misuse and must respect certain rights of the person which are guaranteed by EU law. This is the fundamental basis of the law.

The definition of personal data has been extended under the GDPR and is more detailed than the previous Directive. It now includes an identification number, location data and online identifier. So if any of those can connect back to a person, it’s included as personal data.

2. Extension of Sensitive Data
The GDPR extends the definition of sensitive data to include “genetic data" and “biometric data". This is in addition to data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life.

As with the Directive, sensitive data is afforded more protection and requires more stringent conditions to be satisfied.

3. Anonymised Data
Anonymised data, which is data that doesn’t relate to a person or to personal data rendered anonymous, is not considered to be “personal data" and therefore falls outside the scope of the GDPR.

4. Introduction of the Concept of Pseudonymisation
While we talk about and use the concept of ‘pseudonymisation’, the GDPR introduces it into the Regulation. The GDPR defines it as “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately, and is subject to technical [such as encryption] and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person" .

That’s the legalese. But in essence, personal data which has undergone pseudonymisation should be considered to be information on an identifiable natural person

However, pseudonymised data will be afforded certain relaxations from the requirements of the GDPR. So for example, where data is pseudonymised and encrypted, a company will not be required to inform the data subject should a breach occur.

5. Strengthened Notion of Consent
The GDPR introduces a higher bar for relying on consent. Like the Directive, the GDPR refers to “consent" and “explicit consent". The difference between them is vague as both now require some form of clear affirmative action.

The GDPR defines “consent" as “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her".

Again, that’s the legalese. But an example of such affirmative action include ticking a box when visiting an internet website rather than having a pre-ticked boxes, silence or inactivity. Those last three will not be sufficient enough to constitute consent.

The GDPR also includes more stringent conditions for information society services (e.g. online businesses) to rely on consent to process children's data. It requires service providers to verify parental consent to the processing of the child’s data where the child is less than 16 years old. Individual member States may provide by law for a lower age, so long as that age is not below 13 years old.

6. Data controller and data processor
The GDPR also continues with the Directive's terminology of data controller and data processor, which are used throughout the law.

A data controller is anyone who determines the “purposes and means of processing of the personal data.” It’s another way of saying the controller is the company or organization that makes all the decisions about initially accepting data from the data subject.

A data processor is then anyone who processes data for the controller. The GDPR specifically includes storage as a processing function, so that takes into account, say, cloud-based virtual storage.

The GDPR applies to controllers and processors. It places new legal obligations on processors, with the result that they will be share liability if breaches occur.

7. Operational outside EU
If your health or patient organisation is outside the EU but monitors EU residents, then the new Regulation applies to you too. This is a significant change to the law. The GDPR expands the territorial scope of existing EU data protection laws.

8. Significant Fines
There are new penalties introduced in the GDPR which include fines up to the higher of €20million or 4% of total annual worldwide turnover.

Information Sources

There are good sources of information to learn more about your responsibilities:

If you are a healthcare organisation storing or processing personal data from EU citizens, then we suggest that you look at the European Commission site for more information.

European Commission -

A&L Goodbody -

Latest News

The Right People in the Right Place

21 June 2022

Geospatial Needs Analysis = Right Service In The Right Place Historically, new mental health staff were hired on a national basis and assigned to their nearby Community Healthcare Organization (or CHOs). While additional resources were welcome, this approach ignored community need in regards to the right services provided by the…

Read More

OpenApp Celebrates 20th Anniversary

23 May 2022

OpenApp Celebrates 20th Anniversary OpenApp is delighted to announce: we’ve turned 20! From starting with a focus on open source software in Ireland and the EU, to the global expansion into patient registries to support patient advocacy, disease research, and treatment efficacy research, we’ve greatly expanded our impact on healthcare…

Read More

Increasing Patient Communication and Engagement: How Children’s Tumour Foundation (CTF) are reaching more patients Through Multi-Language Functionality

25 March 2022

Increasing Patient Communication and Engagement: How Children’s Tumour Foundation (CTF) are reaching more patients Through Multi-Language Functionality OpenApp are pleased to announce the NF Registry by Children’s Tumour Foundation (CTF)  is now live in four additional languages: French, Italian, Portuguese and Spanish. This new enhancement provides access to the registry…

Read More


Avoca House,

189-193 Parnell Street,


D01 H578





Irish Number:

+353 (1) 872 9331

US Number:

+1 (914) 455-0216

Combining public and bespoke datasets with accessible geospatial data visualisation reveals hidden patterns.

OpenApp are delighted to announce that we will be attending the 11th ECRD conference, the largest patient-led rare disease conference. We hope to see you there!#ecrd2022

Considering a registry? But struggling with where to start and what to consider? Here's an article penned by OpenApp's CEO and Head of Business Development that sheds light on the common misconceptions about starting a registry:

Load More...

Copyright © 2021 OpenApplications All rights reserved.

OpenApplications Consulting Ltd. Registered in Ireland No. 355595