Trusted GDPR compliance support Global Outsourced Data Protection Officer (DPO) solutions Expert risk management support

Delivering data dignity. World-class Data Protection & Privacy Services.

Talk to an Expert

We are a B Corp certified, global provider of data protection and privacy services, committed to delivering not just regulatory compliance but data dignity. With a deep understanding of the GDPR and other data protection regulations, we partner with responsible businesses to prioritise privacy, build trust, and ensure that data is handled ethically.

Diverse by design, we champion diversity and inclusion in everything we do, harnessing its power to bring leading solutions to our clients.

Our Services

We offer a comprehensive range of services, including outsourced Data Protection Officer (DPO) solutions and flexible data protection and information security consultancy, designed to help businesses achieve compliance and protect their most valuable assets.

Explore our expertly designed packages to find the right level of support for your needs. Or contact us for a free consultation.

Outsourced Data Protection Officer (DPO) services

DPO Essentials

DPO Essentials

Putting essential tools, guidance, and data protection support at your fingertips.

DPO Advanced

DPO Advanced

Driving the development, implementation and maintenance of a robust data protection and privacy programme tailored to your business.

Consultancy Services

Information Security

Information Security

Helping you to formulate and implement comprehensive security strategies and cybersecurity solutions.

Data Protection & Privacy

Data Protection & Privacy

Solving your specific data protection and privacy challenges as they arise.

Unlocking your potential for
sustainable growth

0 +

Icon
Get expert guidance tailored to your business covering more than 70 jurisdictions worldwide

0 +

Icon
Achieve compliance with the GDPR, CCPA and over 250 other data protection regulations globally

0 °

Icon
Take a 360° approach to compliance with our 4-pillar methodology for effective privacy risk management

HewardMills 4-Pillar Framework

Building a robust data protection and privacy programme that ensures regulatory compliance and effective risk management requires holistic consideration of your operations. The HewardMills 4-Pillar Framework supports this, providing a clear structure for evaluation, assessment, remediation and support.

Icon

Pillar I

Corporate Governance

Implementing data governance practices and identification of risks

Icon

Pillar II

Privacy Operations

Integration of privacy considerations into operations

Icon

Pillar III

Policies & Procedures

Ensuring compliance with data protection and privacy regulation requirements

Icon

Pillar IV

Training

Upskilling employees and enhancing understanding of data protection best practices

What our clients
say about us


HewardMills has been instrumental in helping us navigate ever-changing global regulations on privacy.

I've worked with the HewardMills team for several years and just renewed as I'm really happy with the practical guidance/level-headed approach that they provide about privacy and data protection

HewardMills’ support gives us and our clients the confidence to know their data is protected and respected.

GDPR compliance & data mapping

We help you efficiently map your data processes and achieve seamless GDPR compliance.

Navigate regulatory obligations confidently, including ensuring all necessary documentation is in place, accurate and up-to-date, with our expert support.

Image

Gap analysis & maturity assessments

We work with you to evaluate your current compliance and overall data protection and privacy maturity against relevant regulations, including the GDPR and industry best practices. Identifying high-risk areas and supporting improvements.

Close gaps, reduce risk and enhance your organisation’s overall position through our actionable insights, recommendations and support.

Image

International data transfer

From cross-border compliance strategies to navigating regulatory frameworks in over 70 countries, we ensure your international data transfers are secure, lawful, and efficient.

Effectively manage risk within your global operations with our multi-jurisdictional expertise.

Image

Data breach & incident response

In case of a breach, we provide immediate support to minimise impact, manage reporting obligations, and restore trust swiftly.

Be confident in your response and be guided by our actionable, expert recommendations to strengthen your organisation’s security posture and reduce risk.

Image

Training

From essential GDPR training to data protection and privacy courses tailored specifically to your business needs, use our comprehensive training solutions to build your in-house expertise

Image

News, insights and updates

Keeping you informed on key trends and providing expert insights on the latest data protection, privacy and information security developments.

How to protect personal data on fintech platforms in a new age of AI

With Fintech platforms being prime targets for hackers, the importance of privacy teams and Data Protection Officers (DPOs) working closer with finance and security teams has never been greater. Read on to find out more.

Navigating the European Health Data Space Regulation in the life sciences sector

The new European Health Data Space (EHDS) Regulation introduces new requirements governing the management and cross-border sharing of health data across the EU. For pharmaceutical companies or AI-driven diagnostics businesses and businesses relying on medical devices, navigating the EHDS Regulation will require balancing compliance with strategic opportunity. Read on to find out how Data Protection Officers (DPOs) are uniquely positioned to support the privacy function in ensuring compliance with the regulation.  

Navigating the European Health Data Space Regulation in the life sciences sector

The European Health Data Space (EHDS) Regulation, which came into effect on 26 March 2025, introduces new requirements governing the management and cross-border sharing of health data across the EU. Designed to facilitate research, innovation and medical breakthroughs while reinforcing patient rights by enhancing their ability to control and access their personal data, the EHDS Regulation imposes specific obligations on lifesciences companies dealing with sensitive medical data. For businesses operating in pharmaceuticals, medical devices or AI-driven diagnostics, Data Protection Officers (DPOs) are uniquely positioned to support the privacy function in successfully navigating the EHDS Regulation, ensuring compliance whilst balancing this against strategic opportunities.  

Core obligations under the EHDS Regulation

Unlike the broader data protection framework established under the GDPR, the EHDS Regulation focuses explicitly on health-related datasets and establishing standardised processes for anonymised or pseudonymised data sharing through centralised platforms.

A core aim of the Regulation is to give patients greater control over their electronic health data; it establishes a formal right for individuals to access and obtain copies of their personal electronic health records instantly, free of charge, in a readable format. Article 15 of the EHDS Regulation confirms that the framework builds on data portability and requires that health professionals accept electronic health data shared from other Member States via the common European format. In practice, this means hospitals and clinicians must not obstruct patient data sharing. If a patient brings their records from another EU country in the European EHR Exchange Format, providers are expected to take that data into account.

This means life sciences businesses may act as both data holders and data users under the EHDS Regulation. As data holders, life sciences companies are required to share specific health datasets in anonymised or pseudonymised forms with authorised entities, including researchers or public health authorities. These datasets can include clinical trial outcomes, genomic information, or patient registries. Data-sharing requests must be submitted through national Health Data Access Bodies (HDABs), which manage and coordinate cross-border data transfers via the EU-wide HealthData@EU platform.

Data sharing timelines are tightly regulated. For example, businesses must respond to HDAB requests within three months, while HDABs themselves have two months to prepare datasets. Critically, the EHDS Regulation prohibits the use of shared data for commercial advertising, insurance underwriting or employment decisions.

Patients have the right to opt out of secondary use of their data at any time, without providing reasons. Companies must respect these opt-outs by filtering or excluding opted-out patient data when fulfilling data requests. Compliance teams should actively monitor opt-out rates and engage with HDABs to manage data accordingly, recognising national variations in opt-out implementation to prevent compliance errors. Non-compliance with the Regulation risks fines of up to €10 million or 2% of the business’ global turnover, alongside reputational damage from public opt-outs.

A three-phase roadmap for compliance

Preparing for the EHDS Regulation requires a structured approach that integrates existing GDPR processes with new sector-specific requirements. Most obligations will apply from 2029, giving stakeholders time to prepare. By 2027, the EU will issue implementing acts with technical and procedural details. From 2029, key provisions such as cross-border health data exchange and rules on secondary use will become operational. The scope will expand further by 2031 to include more health data categories. Impacted organisations should therefore align their compliance planning with this phased implementation timeline and are advised to structure their compliance efforts in three phases aligned with these milestones to ensure a smooth transition to full EHDS Regulation compliance:

  • The first phase involves mapping and assessing all health data assets. Businesses should begin by thoroughly mapping all health data under their control, including clinical trial records, genomic databases, historical patient data, and any data managed by third-party vendors. A comprehensive data mapping exercise helps identify compliance gaps. Recommended practical tools at this stage include standardised data mapping templates and data inventory management software.
  • Phase two focuses on legal and technical risk mitigation. IT and governance teams should align and enhance privacy controls in line with secure processing requirements. Operational processes must support secondary-use requests, with properly pseudonymised data delivered through compliant environments. Differential privacy techniques, which add statistical noise to datasets, have proven effective in maintaining research utility while preventing individual identification. Organisations should reference guidance provided by the European Data Protection Board (EDPB) on acceptable anonymisation standards and tools, ensuring consistent compliance practices. Testing processes in 2028 will help ensure readiness for 2029.
  • The final phase focuses on entrenching ongoing governance mechanisms. Starting in 2029, organisations must see EHDS Regulation compliance as daily practice and establish persistent monitoring and governance procedures to maintain adherence. Effective approaches include deploying automated tools to track data access, regularly scheduled internal audits, and implementing real-time logging to detect and manage compliance incidents. Organisations should also maintain up-to-date Records of Processing Activities (ROPAs), clearly documenting EHDS-specific data flows and ensuring transparency in case of regulatory inquiries.

The critical role of DPOs in EHDS Regulation compliance

For Data Protection Officers (DPOs), EHDS Regulation introduces an additional layer of sector-specific complexity to the already existing obligations under GDPR. Their key responsibilities have expanded to include conducting detailed data flow analyses to pinpoint datasets regulated by the EHDS Regulation, liaising with Health Data Access Bodies (HDABs) to streamline responses to data requests, overseeing third-party vendor audits with a strong emphasis on ISO 27001 certification and data anonymisation techniques, and developing opt-out management protocols that ensure a balance between compliance and the continuity of research. Proactive DPOs are integrating EHDS Regulation requirements into broader data governance strategies, which involves updating records of processing activities to highlight EHDS-specific obligations and delivering staff training programmes focused on the principles of ethical data reuse.

Strategic opportunities and operational challenges

The EHDS Regulation offers significant advantages for proactive life sciences companies. Centralised access to anonymised EU-wide datasets through the portal could accelerate research timelines, particularly for rare disease treatments where fragmented data currently delays breakthroughs. However, operational hurdles threaten to undermine these benefits. Variations in HDAB implementation across member states create inconsistencies in data request handling, while unresolved questions about dataset standardisation risk duplicative compliance efforts.

Crucially, the EHDS Regulation redefines health data as a collective European asset. Its potential to drive personalised medicine and pandemic preparedness will only materialise if businesses maintain public trust through rigorous privacy protections and unambiguous ethical guidelines for data reuse.

HewardMills’ team of lifesceinces data protection experts can support your business in effectively preparing for the EHDS Regulation. Our specialists provide practical tools and detailed data mapping templates designed specifically for life sciences organisations managing sensitive health data. With strategic guidance from HewardMills, you can confidently address EHDS Regulation compliance requirements while unlocking new opportunities for research innovation and business growth.

 

Ready to take the next step?

Connect with our experts today and ensure your business is secure, compliant, and future-ready.

Get Started