Trusted GDPR compliance support Global Outsourced Data Protection Officer (DPO) solutions Expert risk management support
Delivering data dignity. World-class Data Protection & Privacy Services.
Talk to an Expert
We are a B Corp certified, global provider of data protection and privacy services, committed to delivering not just regulatory compliance but data dignity. With a deep understanding of the GDPR and other data protection regulations, we partner with responsible businesses to prioritise privacy, build trust, and ensure that data is handled ethically.
Diverse by design, we champion diversity and inclusion in everything we do, harnessing its power to bring leading solutions to our clients.
Our Services
We offer a comprehensive range of services, including outsourced Data Protection Officer (DPO) solutions and flexible data protection and information security consultancy, designed to help businesses achieve compliance and protect their most valuable assets.
Explore our expertly designed packages to find the right level of support for your needs. Or contact us for a free consultation.
Outsourced Data Protection Officer (DPO) services
DPO Essentials
Putting essential tools, guidance, and data protection support at your fingertips.
DPO Advanced
Driving the development, implementation and maintenance of a robust data protection and privacy programme tailored to your business.
Consultancy Services
Information Security
Helping you to formulate and implement comprehensive security strategies and cybersecurity solutions.
Data Protection & Privacy
Solving your specific data protection and privacy challenges as they arise.
Unlocking your potential for
sustainable growth
0 +
Get expert guidance tailored to your business covering more than 70 jurisdictions worldwide
0 +
Achieve compliance with the GDPR, CCPA and over 250 other data protection regulations globally
0 °
Take a 360° approach to compliance with our 4-pillar methodology for effective privacy risk management
HewardMills 4-Pillar Framework
Building a robust data protection and privacy programme that ensures regulatory compliance and effective risk management requires holistic consideration of your operations. The HewardMills 4-Pillar Framework supports this, providing a clear structure for evaluation, assessment, remediation and support.
Pillar I
Corporate Governance
Implementing data governance practices and identification of risks
Pillar II
Privacy Operations
Integration of privacy considerations into operations
Pillar III
Policies & Procedures
Ensuring compliance with data protection and privacy regulation requirements
Pillar IV
Training
Upskilling employees and enhancing understanding of data protection best practices
What our clients
say about us
GDPR compliance & data mapping
We help you efficiently map your data processes and achieve seamless GDPR compliance.
Navigate regulatory obligations confidently, including ensuring all necessary documentation is in place, accurate and up-to-date, with our expert support.
Gap analysis & maturity assessments
We work with you to evaluate your current compliance and overall data protection and privacy maturity against relevant regulations, including the GDPR and industry best practices. Identifying high-risk areas and supporting improvements.
Close gaps, reduce risk and enhance your organisation’s overall position through our actionable insights, recommendations and support.
International data transfer
From cross-border compliance strategies to navigating regulatory frameworks in over 70 countries, we ensure your international data transfers are secure, lawful, and efficient.
Effectively manage risk within your global operations with our multi-jurisdictional expertise.
Data breach & incident response
In case of a breach, we provide immediate support to minimise impact, manage reporting obligations, and restore trust swiftly.
Be confident in your response and be guided by our actionable, expert recommendations to strengthen your organisation’s security posture and reduce risk.
Training
From essential GDPR training to data protection and privacy courses tailored specifically to your business needs, use our comprehensive training solutions to build your in-house expertise
News, insights and updates
Keeping you informed on key trends and providing expert insights on the latest data protection, privacy and information security developments.
How to protect personal data on fintech platforms in a new age of AI
With Fintech platforms being prime targets for hackers, the importance of privacy teams and Data Protection Officers (DPOs) working closer with finance and security teams has never been greater. Read on to find out more.
Navigating the European Health Data Space Regulation in the life sciences sector
The new European Health Data Space (EHDS) Regulation introduces new requirements governing the management and cross-border sharing of health data across the EU. For pharmaceutical companies or AI-driven diagnostics businesses and businesses relying on medical devices, navigating the EHDS Regulation will require balancing compliance with strategic opportunity. Read on to find out how Data Protection Officers (DPOs) are uniquely positioned to support the privacy function in ensuring compliance with the regulation.
Navigating the European Health Data Space Regulation in the life sciences sector
The European Health Data Space (EHDS) Regulation, which came into effect on 26 March 2025, introduces new requirements governing the management and cross-border sharing of health data across the EU. Designed to facilitate research, innovation and medical breakthroughs while reinforcing patient rights by enhancing their ability to control and access their personal data, the EHDS Regulation imposes specific obligations on lifesciences companies dealing with sensitive medical data. For businesses operating in pharmaceuticals, medical devices or AI-driven diagnostics, Data Protection Officers (DPOs) are uniquely positioned to support the privacy function in successfully navigating the EHDS Regulation, ensuring compliance whilst balancing this against strategic opportunities.
Core obligations under the EHDS Regulation
Unlike the broader data protection framework established under the GDPR, the EHDS Regulation focuses explicitly on health-related datasets and establishing standardised processes for anonymised or pseudonymised data sharing through centralised platforms.
A core aim of the Regulation is to give patients greater control over their electronic health data; it establishes a formal right for individuals to access and obtain copies of their personal electronic health records instantly, free of charge, in a readable format. Article 15 of the EHDS Regulation confirms that the framework builds on data portability and requires that health professionals accept electronic health data shared from other Member States via the common European format. In practice, this means hospitals and clinicians must not obstruct patient data sharing. If a patient brings their records from another EU country in the European EHR Exchange Format, providers are expected to take that data into account.
This means life sciences businesses may act as both data holders and data users under the EHDS Regulation. As data holders, life sciences companies are required to share specific health datasets in anonymised or pseudonymised forms with authorised entities, including researchers or public health authorities. These datasets can include clinical trial outcomes, genomic information, or patient registries. Data-sharing requests must be submitted through national Health Data Access Bodies (HDABs), which manage and coordinate cross-border data transfers via the EU-wide HealthData@EU platform.
Data sharing timelines are tightly regulated. For example, businesses must respond to HDAB requests within three months, while HDABs themselves have two months to prepare datasets. Critically, the EHDS Regulation prohibits the use of shared data for commercial advertising, insurance underwriting or employment decisions.
Patients have the right to opt out of secondary use of their data at any time, without providing reasons. Companies must respect these opt-outs by filtering or excluding opted-out patient data when fulfilling data requests. Compliance teams should actively monitor opt-out rates and engage with HDABs to manage data accordingly, recognising national variations in opt-out implementation to prevent compliance errors. Non-compliance with the Regulation risks fines of up to €10 million or 2% of the business’ global turnover, alongside reputational damage from public opt-outs.
A three-phase roadmap for compliance
Preparing for the EHDS Regulation requires a structured approach that integrates existing GDPR processes with new sector-specific requirements. Most obligations will apply from 2029, giving stakeholders time to prepare. By 2027, the EU will issue implementing acts with technical and procedural details. From 2029, key provisions such as cross-border health data exchange and rules on secondary use will become operational. The scope will expand further by 2031 to include more health data categories. Impacted organisations should therefore align their compliance planning with this phased implementation timeline and are advised to structure their compliance efforts in three phases aligned with these milestones to ensure a smooth transition to full EHDS Regulation compliance:
- The first phase involves mapping and assessing all health data assets. Businesses should begin by thoroughly mapping all health data under their control, including clinical trial records, genomic databases, historical patient data, and any data managed by third-party vendors. A comprehensive data mapping exercise helps identify compliance gaps. Recommended practical tools at this stage include standardised data mapping templates and data inventory management software.
- Phase two focuses on legal and technical risk mitigation. IT and governance teams should align and enhance privacy controls in line with secure processing requirements. Operational processes must support secondary-use requests, with properly pseudonymised data delivered through compliant environments. Differential privacy techniques, which add statistical noise to datasets, have proven effective in maintaining research utility while preventing individual identification. Organisations should reference guidance provided by the European Data Protection Board (EDPB) on acceptable anonymisation standards and tools, ensuring consistent compliance practices. Testing processes in 2028 will help ensure readiness for 2029.
- The final phase focuses on entrenching ongoing governance mechanisms. Starting in 2029, organisations must see EHDS Regulation compliance as daily practice and establish persistent monitoring and governance procedures to maintain adherence. Effective approaches include deploying automated tools to track data access, regularly scheduled internal audits, and implementing real-time logging to detect and manage compliance incidents. Organisations should also maintain up-to-date Records of Processing Activities (ROPAs), clearly documenting EHDS-specific data flows and ensuring transparency in case of regulatory inquiries.
The critical role of DPOs in EHDS Regulation compliance
For Data Protection Officers (DPOs), EHDS Regulation introduces an additional layer of sector-specific complexity to the already existing obligations under GDPR. Their key responsibilities have expanded to include conducting detailed data flow analyses to pinpoint datasets regulated by the EHDS Regulation, liaising with Health Data Access Bodies (HDABs) to streamline responses to data requests, overseeing third-party vendor audits with a strong emphasis on ISO 27001 certification and data anonymisation techniques, and developing opt-out management protocols that ensure a balance between compliance and the continuity of research. Proactive DPOs are integrating EHDS Regulation requirements into broader data governance strategies, which involves updating records of processing activities to highlight EHDS-specific obligations and delivering staff training programmes focused on the principles of ethical data reuse.
Strategic opportunities and operational challenges
The EHDS Regulation offers significant advantages for proactive life sciences companies. Centralised access to anonymised EU-wide datasets through the portal could accelerate research timelines, particularly for rare disease treatments where fragmented data currently delays breakthroughs. However, operational hurdles threaten to undermine these benefits. Variations in HDAB implementation across member states create inconsistencies in data request handling, while unresolved questions about dataset standardisation risk duplicative compliance efforts.
Crucially, the EHDS Regulation redefines health data as a collective European asset. Its potential to drive personalised medicine and pandemic preparedness will only materialise if businesses maintain public trust through rigorous privacy protections and unambiguous ethical guidelines for data reuse.
HewardMills’ team of lifesceinces data protection experts can support your business in effectively preparing for the EHDS Regulation. Our specialists provide practical tools and detailed data mapping templates designed specifically for life sciences organisations managing sensitive health data. With strategic guidance from HewardMills, you can confidently address EHDS Regulation compliance requirements while unlocking new opportunities for research innovation and business growth.