Patient Registry Owners: Key Highlights of new GDPR – General Data Protection Regulation


Data protection is an issue that we regularly discuss with clinicians, clients, patient registry owners and healthcare organisations.

And it’s with data protection in mind that we put this article together. If you are designing a registry, how you collect and store data is so important. And it’s about to get even more important.

Data protection laws around the EU differ significantly from country to country. Current law is based on Directive 95/46/EC (we’ll call this the Directive from now on) which is around since 1985. As it was a Directive, each member state interpreted the law differently so we have a patchwork of data protection laws.

This will change on 25 May 2018 when the EU General Data Protection Regulation (we’ll call this the GDPR from now on) comes into force. This GDPR will replace the Directive. It was initially published in January 2012 and adopted on 27 April 2016. Organisations holding data have only 19 months left to amend their data protection policies, procedures and rules before the Regulation is in force. As it’s a Regulation, it will be immediately applicable across the EU without individual member states having to implement national legislation.

We thought we’d share some of the most important points that relate to you as a patient registry owner and healthcare organisation. We’ve given reference information at the end.

1. The Definition of Personal Data
Under EU law, personal data can only be gathered legally under strict conditions, for a legitimate purpose. In addition, persons or organisations which collect and manage your personal information must protect it from misuse and must respect certain rights of the person which are guaranteed by EU law. This is the fundamental basis of the law.

The definition of personal data has been extended under the GDPR and is more detailed than the previous Directive. It now includes an identification number, location data and online identifier. So if any of those can connect back to a person, it’s included as personal data.

2. Extension of Sensitive Data
The GDPR extends the definition of sensitive data to include “genetic data" and “biometric data". This is in addition to data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life.

As with the Directive, sensitive data is afforded more protection and requires more stringent conditions to be satisfied.

3. Anonymised Data
Anonymised data, which is data that doesn’t relate to a person or to personal data rendered anonymous, is not considered to be “personal data" and therefore falls outside the scope of the GDPR.

4. Introduction of the Concept of Pseudonymisation
While we talk about and use the concept of ‘pseudonymisation’, the GDPR introduces it into the Regulation. The GDPR defines it as “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately, and is subject to technical [such as encryption] and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person" .

That’s the legalese. But in essence, personal data which has undergone pseudonymisation should be considered to be information on an identifiable natural person

However, pseudonymised data will be afforded certain relaxations from the requirements of the GDPR. So for example, where data is pseudonymised and encrypted, a company will not be required to inform the data subject should a breach occur.

5. Strengthened Notion of Consent
The GDPR introduces a higher bar for relying on consent. Like the Directive, the GDPR refers to “consent" and “explicit consent". The difference between them is vague as both now require some form of clear affirmative action.

The GDPR defines “consent" as “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her".

Again, that’s the legalese. But an example of such affirmative action include ticking a box when visiting an internet website rather than having a pre-ticked boxes, silence or inactivity. Those last three will not be sufficient enough to constitute consent.

The GDPR also includes more stringent conditions for information society services (e.g. online businesses) to rely on consent to process children's data. It requires service providers to verify parental consent to the processing of the child’s data where the child is less than 16 years old. Individual member States may provide by law for a lower age, so long as that age is not below 13 years old.

6. Data controller and data processor
The GDPR also continues with the Directive's terminology of data controller and data processor, which are used throughout the law.

A data controller is anyone who determines the “purposes and means of processing of the personal data.” It’s another way of saying the controller is the company or organization that makes all the decisions about initially accepting data from the data subject.

A data processor is then anyone who processes data for the controller. The GDPR specifically includes storage as a processing function, so that takes into account, say, cloud-based virtual storage.

The GDPR applies to controllers and processors. It places new legal obligations on processors, with the result that they will be share liability if breaches occur.

7. Operational outside EU
If your health or patient organisation is outside the EU but monitors EU residents, then the new Regulation applies to you too. This is a significant change to the law. The GDPR expands the territorial scope of existing EU data protection laws.

8. Significant Fines
There are new penalties introduced in the GDPR which include fines up to the higher of €20million or 4% of total annual worldwide turnover.

Information Sources

There are good sources of information to learn more about your responsibilities:

If you are a healthcare organisation storing or processing personal data from EU citizens, then we suggest that you look at the European Commission site for more information.

European Commission -

A&L Goodbody -

Latest News

OpenApp achieves ISO27001 Certification

23 December 2022

OpenApp are delighted to announce that we have now attained ISO27001 certification through a huge amount of collaborative effort by our team. This has been a goal of the company for many years, we have always strived to provide the most secure systems and services so achieving this accreditation is a massive affirmation of the work the team has been continuously doing over the years……

Read More
Screenshot of dashboard showing Traffic Incident Management System

Custom Traffic Incident Management System (TIMs)

24 November 2022

Egis Road & Tunnel Operations (ERTO) is the operating agent responsible for managing, recording, and reporting all incidents across the over 1,200 kilometres of motorway and dual carriageways in Ireland. They do this at the Motorway Operations Control Centre (MOCC)…

Read More

OpenApp project with the HSE wins Irish Health Awards 2022 for Public Health Initiative

1 November 2022

OpenApp project in collaboration with the HSE wins Public Health Initiative of the year award at the Irish Healthcare Awards 2022   Now in its 21st year, the Irish Medical Times has announced the winners of the 2022 Irish Healthcare Awards. Two projects evolved by OpenApp in collaboration with the…

Read More


Avoca House,

189-193 Parnell Street,


D01 H578





Irish Number:

+353 (1) 872 9331

US Number:

+1 (914) 455-0216

A huge thank you to one our great sponsors @OpenappIreland. Their support of the event is highly valued

You will be able to meet some of the team at the NOC Conference on January 31st

📑Register here:

Catch our article celebrating achieving our #ISO27001 certificate! Now updated to include a short interview with David Cavanagh, who managed the project. #patientregistry #raredisease #datasecurity

OpenApp are delighted to announce that we will be attending the National Office of Clinical Audit (NOCA) conference on the 31st of January in RCSI. If you wish to attend please register here: We hope to see you there!

Have an in-depth look at our Custom Traffic Incident Management System.
Our solution for ERTO helps oversee 1,200 kilometers of motorway allowing them to manage incidents, share data with stakeholders, and report data pertaining to road traffic incidents.

Just over a week to go until the Irish Healthcare Awards @HealthAwardsIrl OpenApps' projects in collaboration with the HSE are in the running for "Best Use of Information Technology" & "Public Health Initiative of the Year" 🤞 #IMTIHA22

Load More...

Copyright © 2022 OpenApplications All rights reserved.

OpenApplications Consulting Ltd. Registered in Ireland No. 355595