Subscribe to our newsletter

Industry Insight | 15th May 2018

External Communications: Is Your Healthcare SME Compliant?

Read Time: 2 minutes


With only 10 days go before the General Data Protection Regulation (GDPR) comes into force on 25th May, many healthcare SMEs are still unsure what communications they’re allowed to send.

Onyx Health provides a top-level view of what healthcare SMEs need to do in relation to contacting key stakeholders for marketing purposes under GDPR and other regulatory standards that a healthcare company may comply with.


Active opt-in consent must be given. ‘No-reply’ or pre-ticked boxes do not constitute consent.

SMEs must show a legitimate interest for holding data and sending a communication. It also requires companies to keep a record of legitimate interest – and provide an easy opt-out/unsubscribe option. Personal data available in the public domain is still identifiable, so GDPR still applies.

MHRA Blue Guide (Medicines and Healthcare products Regulatory Agency):

The Blue Guide provides an interpretation of the legal standards expected when advertising and promoting medicines. Materials sent via email are subject to UK medicines advertising legislation, regulatory standards and GDPR.

As a healthcare SME, you may also be a member of the following:

  • ABPI Code of Practice (Association of the British Pharmaceutical Industry): Telephone, text messages, email, telemessages, facsimile, automated calling systems and other electronic data communications must not be used for marketing purposes, except with prior permission.
  • ABHI Code of Business Practice (Association of British Healthcare Industries): Members should ensure that all communications, such as product claims and comparisons, are accurate, balanced, fair, objective and unambiguous. There is no mention of consent, so default to GDPR rules.

Feeling stifled? Here’s what you can do next…

  • Audit: We recommend that SMEs conduct a data audit and define how personal information is being used. There must also only be a single point of access for this database.
  • Database: Purchase a database from a third party. You must ensure consent has been obtained by the company you are purchasing the data from (i.e. has the recipient approved their information being shared with you?) Once you have purchased this information, the onus is on you to keep it up-to-date. However, email communication through the purchased database remains a grey area under the ABPI, following this recent PMCPA case ruling: Hospital Consultant v AstraZeneca
  • Direct Mail: This is often undervalued as a form of communication, but sometimes you can’t beat a physical item. Under the ABPI, prior permission is not required to send out a direct mailing. Ensure your mailing list is up-to-date (i.e. people can opt-out from future correspondence), the content you are sending is relevant, and frequency is appropriate (no more than eight per year).

For our take on how to approach outgoing communication under GDPR and existing regulatory standards in healthcare view our flowchart below.

If you still have questions, Onyx Health is committed to keeping clients up to date with the latest regulatory and market changes, finding new ways to reach out to customers and seeking benefits from what may lie ahead. To find out more about our healthcare marketing expertise and our services, get in touch on 0191 640 3638, email us at

Back to Blog