Enterprise Privacy Consulting

Privacy leadership
for life sciences
organisations.

Strategic privacy counsel, external DPO services, and OneTrust deployment for pharmaceutical, biotech, and medtech companies navigating complex regulatory environments.

Start a conversation Explore services
Jesus Herranz — PharmaDPO

Jesus Herranz

The practice

Senior counsel.
Pharma native.

Senior Privacy Leadership Experience

I have accumulated over 15 years of experience in senior privacy roles within global pharmaceutical and life sciences organizations. My career includes serving as a statutory EU Data Protection Officer, where I was responsible for ensuring compliance with data protection regulations and safeguarding sensitive information across international teams.

Global Privacy Program Management

Throughout my tenure, I have led the development and implementation of comprehensive privacy programs on a global scale. This involved collaborating with cross-functional teams to design policies, procedures, and training, effectively managing risk and supporting organizational compliance.

OneTrust Deployment Expertise

My leadership also extends to deploying OneTrust, a widely-used privacy management platform, to streamline privacy operations and enhance organizational data protection capabilities. This has enabled efficient monitoring, reporting, and management of privacy-related activities within the companies I have served.

20+
Years in privacy law
19+
Markets managed
5
Top-20 pharma clients

Credentials & Experience

Associate General Counsel & EU DPO
Global pharmaceutical company — Digital, AI & Privacy
Global Privacy Director
Fortune 500 biopharmaceutical — US & EU programmes
Senior Privacy Counsel
Multiple top-20 pharma and biotech organisations
EU AI Act & Emerging Technology
AI governance frameworks, clinical AI risk management
Multi-jurisdictional practice
EU, UK, US, APAC — regulatory engagement experience

What we do

Six core
practice areas

Deep expertise where pharmaceutical privacy complexity demands more than a generalist approach.

01

Enterprise Privacy Risk Management

Comprehensive risk assessment and governance frameworks aligned with GDPR and emerging global regulations. From privacy-by-design architecture to board-level reporting.

DPIA Risk Registers RoPA Transfers AI Governance

02

External DPO Services

Statutory EU/UK Data Protection Officer function delivered as a service. Full Article 38 independence, regulatory liaison, and DPA engagement across multiple jurisdictions.

EU GDPR Art. 37 UK GDPR DPA Liaison Multi-jurisdiction

03

Privacy Culture Development

Embedding privacy as an organisational value, not a compliance checkbox. Stakeholder programmes, privacy champion networks, and measurable culture change across global functions.

Awareness Programmes Champion Networks Metrics Change Management

04

Training & Education

Role-based privacy training from board level to operational teams. Customised curricula covering GDPR fundamentals, clinical trial data, AI governance, and sector-specific obligations.

Role-based Clinical Data AI & Privacy Multi-language

05

OneTrust Deployment

End-to-end OneTrust implementation: consent management, assessment automation, RoPA, vendor risk, and cookie compliance. Technical deployment aligned with legal requirements.

Consent Mgmt Assessment Automation Vendor Risk Cookie Compliance

06

AI Privacy Agents & Engineering

Privacy agents are transforming how organisations manage personal information — through data monitoring, consent tools, and sensitive content management. We guide clients on privacy-by-design in AI systems, regulatory compliance, and risk mitigation for emerging technologies.

We help you evaluate and deploy AI privacy agents effectively, addressing gaps in transparency, customisation, and third-party integration — while advancing analytics and contextual recommendations that build user trust.

Privacy-by-Design AI Compliance Consent Tools Risk Mitigation EU AI Act

"The organisations that embed privacy into their culture do not just avoid fines — they build loyalty."

Get in touch

Why PharmaDPO

What sets this
practice apart

Pharma-native from day one

No learning curve. We understand GxP environments, pharmacovigilance data, clinical trial protocols, and the operational constraints of regulated industries without needing to be briefed on the basics.

Statutory DPO independence

Our external DPO service is delivered with the full independence required under GDPR Article 38. No conflicts, no compromise — direct regulatory engagement on your behalf.

Counsel-level strategic thinking

Privacy advice grounded in legal expertise, business pragmatism, and 20 years of navigating complex stakeholder environments at the most senior levels of global pharma organisations.

Technology fluency

Hands-on OneTrust deployment experience, AI governance frameworks under the EU AI Act, and deep understanding of the technical architecture behind modern privacy compliance programmes.

Truly multi-jurisdictional

Operational expertise across EU, UK, US, and APAC frameworks. GDPR, UK GDPR, China PIPL, and emerging global privacy laws — in the context of how pharma companies actually operate.

Culture, not just compliance

Privacy programmes fail when they remain in Legal. We build genuine privacy culture — stakeholder buy-in, champion networks, and behavioural change that outlasts any single engagement.

Who we serve

Life sciences
specialists

💊
Pharmaceutical
🧬
Biotech
🩺
MedTech
🔬
CROs & CMOs
🤖
Digital Health & AI

Get started

Ready to build a
privacy programme
that lasts?

Whether you need an external DPO, a one-time risk assessment, or a full privacy transformation — let's talk.

London · Madrid — serving clients globally