Peter Blenkinsop

Peter Blenkinsop is a Partner at Drinker Biddle & Reath. He has over 15 years of experience in advising companies on compliance with data protection laws, and he co-chairs the firm’s Information Privacy, Security & Governance (IPSG) practice. Peter has worked with dozens of life science companies on privacy projects, analyzing specific programs and activities, providing advice on compliance with relevant laws, conducting large-scale privacy gap assessments to compare practices to legal requirements and best practices, and assisting organizations in development of data protection programs. Peter received his JD from Georgetown University and his BA from Yale University.

On May 25, 2018, the GDPR became effective across the EU, simultaneously resulting in a 'consistent and homogenous application' of data protection rules across the Union (per Recital 10 of the Regulation). For data protection professionals at medical technology companies, the clarity brought by the GDPR has meant that resources can be redirected towards ensuring substantive privacy and security protections and away from more formalistic legal questions.... Okay, I'm just kidding. No, seriously, let's review what actually happened. After several decades of explaining to patients wishing to enrol in clinical investigations of experimental medical technology that by choosing to enrol, they are consenting to the collection of personal data about them for purposes of the research, data protection authorities decided that the GDPR doesn't allow this. Instead, they said, medical researchers should be relying on legal bases other than consent, like 'legitimate interests', for the processing of personal data in clinical investigations. Except, that is, in those member states where consent is still required for such data processing. In those member states, of course, you should still rely on consent. Clear enough?! Oh, and by the way, said the data protection authorities, we recognise that Recital 33 of the GDPR suggests that it is permissible for research subjects to broadly give their consent to 'certain areas of [future] scientific research', but even though the legislators wrote that, we don't think that's what they really meant. So, don't rely on that. Why? Because we said so. Actually, I find the guidance provided by data protection authorities on this question of the legal basis for further processing of personal data for 'secondary' research purposes was helpful. They pointed out that Article 5(1)(b) of the GDPR declares such further processing to 'not be considered to be incompatible with the initial purposes', provided the...