Articles Posted in Regulatory and Compliance


The UK Government has published a statement of intent containing details of its proposed Data Protection Bill. The full text of the Bill is expected in September 2017, when the UK Parliament returns from its summer break.

The Bill will enshrine the EU General Data Protection Regulation (GDPR) into UK domestic law. It will also implement the requirements of EU Directive 2016/680 (The Law Enforcement Directive) which covers the processing of personal data for crime prevention, and the free movement of such data.

Why is a UK bill needed?


Pharmaceutical and Life Sciences companies operate in a demanding environment and face diverse challenges such as pricing pressure, increased regulatory requirements and mounting costs. With this backdrop, they have, starting with non-core functions, such as IT, facilities management, finance and human resources, before moving to secondary core functions, such as research and development, manufacturing, logistics, warehousing and brokerage, increasingly looked to outsourcing so as to better focus on core competencies, access specialized expertise and achieve cost-saving benefits.

In this blog post, a closer look at some of the key challenges faced by those operating in the Pharmaceutical and Life Sciences sector is taken from an outsourcing perspective.

Regulatory Environment


A number of major carriers have suffered high-impact IT events in the past several months. Estimates of losses in these cases have exceeded £100m. This is on top of (no doubt significant) remedial costs, reductions in share price and reputational damage.

Such high-impact events are, in theory, unlikely to occur—the result of a series of unlikely events which when taken together have a catastrophic impact. Unfortunately for corporates, the probability of a high impact IT event is increasing. This is partly due to the increasingly interconnected and complex nature of IT infrastructures but also due to heightened cybersecurity risks. Failures tend not to be not localised to a particular geography or business but have global reach.

We advise airlines to consider and revisit their current business continuity and disaster recovery (BCDR) arrangements. In our experience, the reality of BCDR arrangements often falls below the stated requirements or capabilities of such solutions, whether provided by third-party IT providers or in-house.


In a global economy, every supply chain should have each link inspected to ensure it has not been forged in whole or in part in a manner that involves human rights abuses. In “Is your supply chain free from human rights abuses?,” a recent piece in Outsource, our colleague Tim Wright explores what a company can do to ensure its product is not the result of slavery or other human rights abuses.


The European Commission has published its Brexit mandate with a clear focus on “citizens’ rights, the financial settlement and new external borders,” with the Commission’s chief Brexit negotiator, Michel Barnier, planning to “pay great attention to Ireland during the first phase of negotiations.” In his Next Steps toward Brexit Client Alert, Pillsbury partner Tim Wright explores some key issues including safeguarding of EU citizens, settlement of UK financial obligations, and sorting out the Irish border situation.



Software giant’s victory in “indirect use” case is cause for concern for companies worldwide.

On February 16, 2017, the High Court of Justice in the United Kingdom held that Diageo plc, a global drinks company, was liable for unauthorized use of SAP software as a result of failing to secure “Named User” licenses for its customers and sales representatives who used certain third party applications running on a Salesforce platform that accessed and exchanged data with SAP systems. While the decision does not have direct application outside the United Kingdom and may be appealed by Diageo, it is an important win by SAP and a significant cause for concern for companies licensing SAP software. The decision may embolden SAP to be even more aggressive in attempting to extract additional license and support fees from customers—which could potentially run into tens of millions of dollars for many companies—based on alleged “indirect” uses of SAP software. We encourage licensees of SAP software to get in front of this issue by undertaking an assessment of whether they are at risk for claims of indirect use by SAP.


To read the full alert on the Pillsbury site click here…


Recently, governments and rule-making bodies across Europe, the UK and globally, appear to be paying increasing attention to the need for the development of legislative and regulatory frameworks in the expanding field of artificial intelligence (AI) and robotics. With the growing use of these technologies across a wide range of industry sectors, we expect to see new laws and regulations being introduced in this area in the coming years, across a broad spectrum of legal disciplines including intellectual property rights and product liability.  Discussed below are some recent developments in this area in the European Union, the United Kingdom, the United States and Japan.

European Union

The European Commission’s Legal Affairs Committee recently published a report calling for EU-wide rules governing AI and robotics[1]. Rapporteur Mady Delvaux (S&D, LU) said: “A growing number of areas of our daily lives are increasingly affected by robotics. In order to address this reality and to ensure that robots are and will remain in the service of humans, we urgently need to create a robust European legal framework”.


“We will follow two simple rules: buy American and hire American.” While world leaders are pondering what these words from President Trump’s Inaugural Address mean for international trade, a different question looms for U.S. Government contractors—what is on the horizon as far as the Buy American Act and similar protectionist regulations?

To finish reading this article written by our Pillsbury colleagues click here.


UK’s Industrial Strategy announced—new Government contracting approach will favour UK-based firms after Brexit.

  • UK Government spending currently runs circa £278 billion per annum.
  • Government contractors will be given priority when bidding for UK Government work after Brexit.


The FCA has fined Aviva, the UK insurance group, £8.2 million for failing to have appropriate controls over its outsourced service providers. According to the FCA’s press release, the fine would have been even larger at £11.8 million but for a 30% discount due to Aviva for agreeing with the FCA to settle at an early stage.

The case related to a number of FCA Handbook breaches between 1 January 2013 and 2 September 2015, including breaches of Principles 3 and 10, the Outsourcing Chapter of SYSC and the Client Assets Sourcebook (CASS)—rules which apply whenever a firm holds or controls client money or has custody assets as part of its business. Two Aviva group companies, Aviva Pension Trustees UK and Aviva Wrap UK had outsourced the administration of client money and external reconciliations in relation custody assets to third party administrators (TPAs). In what is the first CASS case in relation to oversight failures of outsourcing arrangements, the FCA found that the Aviva companies had “failed to put in place appropriate controls over … [the TPAs] … to which they had outsourced the administration of client money and external reconciliations in relation to custody assets … [resulting] in Aviva failing to sufficiently challenge the internal controls, competence and resources of their TPAs.”

Continue reading