What do New UK Laws Mean for the Pharmaceutical Marketeer?

Planning a digital marketing campaign? Here's what you need to know about the new EU data laws.

In 2018 tougher data privacy laws, collectively known as the General Data Protection Regulation (GDPR), come into force that have serious effects on how we use email marketing.

E-blasts, webinars, whitepapers, e-books, - the promotion of your most cherished assets are critical to your business, but with the threat of fines of up to €20m it's equally critical that you understand the GDPR and how you should operate within it.

So what do these new laws mean for pharmaceutical marketing? What do you need to know and how can you avoid falling foul of the law?

The GDPR formalises concepts such as the ‘right to be forgotten’, data portability, data breach notification and accountability, with those falling foul of the guidelines potentially facing massive fines of €20m, or up to four percent of global revenues.

The GDPR creates some new rights for individuals and strengthens some of the rights that currently exist under the DPA (Data Protection Act). The important thing to bear in mind as you embark on your digital strategy is the “accountability principle.” The GDPR requires you to show how you comply with the principles – for example by documenting the decisions you take about a processing activity. Some key points of the regulation are below.


The right to be forgotten is front and centre at the forefront of these new measures, so you are going to have to use a bit more clarification to users that they have these rights to be ‘forgotten’. Have systems and procedures in place in case anyone asks for their removal from your database.


New guidance will mean you have to consider legislation on a global scale, not just the EU. Under the new data protection rule, regulators from elsewhere in the EU could now have a say in the rulings, as well as the fines handed out to UK companies under the guidance of the directive. Similarly, if you are sending out e-blasts, location is key.

For instance, if your business offers goods or services in the EU it’s covered by the regulation - it makes no difference if the business is based outside the EU. The application of the law is determined by the location of the people it serves.


Last years events with Talk Talk and Yahoo show that data breach is serious business. The new guidance makes it mandatory that you let your consumers know when there is a data breach, or the corruption of it, and then having procedures in place that let them know when their private information has been compromised. This is now not just good practice but will sit at the heart of the legislation.


Do you have the infrastructure in your departments to grant this? You need to have the resources in place should you receive a request, - the guidelines make this very clear.


Designate a Data Protection Officer, invest in training for them and allow time for them outside their current role to devote to looking at this issue, understand what is required and how to stay within the right side of it.


You should familiarise yourself now with the ICO guidance on Privacy Impact Assessment and work out how to implement it should it be required.