Séverine Bouvy of Taylor Wessing writes:
In the discovery phase of scientific research, AI systems can be used to review patents and identify potential new medicines for clinical trials. If an organisation develops its own AI system internally without using patient data, the AI Act should not apply, as it would under the research exemption. Similarly, GDPR is not relevant in such cases as no personal data is processed.
However, when patient data is used to train an AI system, GDPR becomes applicable. Patient data can be sourced from various places, including healthcare records collected by institutions such as the NHS, voluntary registries where patients consent to sharing their data for research, or data obtained from previous clinical trials. However, these datasets were originally collected for specific purposes, necessitating an assessment to determine if they can be repurposed for training AI models.
Read more at Taylor Wessing.