Back to News List


GDPR news - Impact of naming the end client as data controller

August 3rd, 2018

Update on findings of the BHBIA member survey (July 2018)

As many members will be aware, the BHBIA alongside the MRS and EphMRA has been in discussions with the Information Commissioner's Office (ICO) about the interpretation of GDPR/DPA 2018 requirements on the determination of data controller(s) and the implications of naming the market research end client. 

The questions we raised during our discussions are under consideration internally at the ICO and within the European Data Protection Board’s (EDPB) Key Provisions subgroup and we are awaiting formal EU-wide guidance.  In the meantime however, some of our members have been feeling the impact of this issue. 

Consequently, in July, the BHBIA’s Ethics & Compliance Committee surveyed members on the impact naming the end client as data controller is having. 

Thank you to all those who provided feedback.

We have prepared a short report summarising the survey findings: click here to download the report

As you will see, naming the end client as a data controller is resulting in fewer market research projects being commissioned in the UK and in Europe. 

We are using this information to show the ICO (and other European DPAs) that if an interpretation of requirements that determines an end client is generally a data controller is formalised it will have a significant impact on the aims, integrity, and viability of healthcare market research in the UK and the EU.

We have shared this evidence with:

  • The ICO in order to help them to understand the very real impact this is having and to provide them with evidence of this as they consider the issue and discuss it with their EU counterparts;
  • Jeremy Wright QC, Secretary of State for Digital, Culture, Media and Sport to draw his department’s attention to the impact on UK business;
  • The MRS, EphMRA, ESOMAR and EFAMRO so that they can use the information to support their discussions with data protection regulators.

It is expected that controller/processor guidelines are on the agenda for an EDPB September meeting and it’s likely that the production of formal guidelines will allow the EDPB view to be formalised.

The BHBIA will continue to work with the MRS and ICO in the UK on this issue and with EphMRA and ESOMAR to support our European counterparts.  We will keep members updated of any further developments. 

Click here if you wish to be reminded of the BHBIA’s June update on naming end clients as data controllers.


The BHBIA’s Ethics & Compliance Committee is providing this guidance as general information for its members. It is not legal advice and should not be relied upon as such.  Specific legal advice should be taken in relation to any specific legal problems or matters.  Whilst every reasonable effort is made to make sure the information is accurate, no responsibility for its accuracy or for any consequences of relying on it is assumed by the BHBIA.  We do expect to update our guidance on the GDPR as more information becomes available.