The expansion of health data offers exciting opportunities to support better and more efficient drug discovery, development and implementation. Data protection and governance provide the legal framework to balance safeguarding patients’ privacy with the benefits to society of medical research. Our aim is to highlight current legal barriers to the better use of health data and propose ways to address them.

Analysis of the relevant legislative texts was supplemented by interviews with external experts in data protection, health research, informatics and cyber security and a workshop with pharmaceutical industry members. We investigated the legal issues arising for six key activities along the pharmaceutical lifecycle, from identifying unmet need through to health technology assessment and pharmacovigilance.

The General Data Protection Regulation (GDPR) was introduced in May 2018 to Harmonise data protection across Europe. However, considerable ambiguity remains, particularly around the appropriate legal bases for data processing in the absence of consent: scientific research, public interest, or provision of health or social care. Other key themes included data subject rights, anonymization, compatibility of primary and secondary (re-)use of data, heterogeneity arising from divergent interpretation, the need for guidance on digital health, and the importance of trust.

We speculate which legal bases are most appropriate for the six pharmaceutical activities studied, but clear guidance and consensus is required. The GDPR was not designed to hamper scientific research, and the issues identified arose from uncertainties rather than barriers per se. Industry and academic researchers should therefore deal proactively with the prevailing uncertainties, share good practice, and engender trust by co-creating a code of conduct and outlining principles of responsible use. Engagement with patients will be critical in encouraging a shared understanding of the value to society of health data for research.