Priya Mehta has spent 15 years thinking about what it means to handle data that people never wanted anyone to have in the first place. As Chief Compliance Officer at Zenith Health Group — a private healthcare provider operating across the UK, Germany, the Netherlands, France, Ireland, and Spain — she oversees compliance for 4,200 employees and a data estate that includes everything from GP appointment records to longitudinal clinical trial datasets. We met her in Zenith’s London offices to talk about the decisions that don’t have clean answers.
Q: Your path to CCO wasn’t a straight line. You trained as a pharmacist before moving into compliance. How did that shape the way you approach your role?
A: It shapes everything, actually. When you’ve worked as a pharmacist, you understand in a visceral way that data about someone’s health is not an abstract thing — it is intimately connected to their identity, their relationships, their fears. A blood test result isn’t a row in a database; it’s something a person may have been dreading for weeks before they got it. That perspective makes me impatient with compliance frameworks that treat data protection as a tickbox exercise. It also means I have genuine credibility when I sit in a room with clinical staff, because I’m not an outsider telling them how to handle something I’ve never touched. The pharmacist background gave me a foundation in clinical governance that I’ve drawn on constantly, particularly when we started expanding into clinical trials.
Q: Let’s talk about clinical trials specifically. GDPR treats health data as a special category, but there are also specific provisions for scientific research. How do you navigate that tension in practice?
A: This is genuinely one of the most complex areas I work in. The UK GDPR Article 9(2)(j) exemption for scientific research sounds broad on paper, but it comes with conditions — appropriate safeguards, data minimisation, pseudonymisation where possible — and in practice, those conditions require continuous interpretation, not a one-time legal sign-off. The tension I encounter most often is between the research sponsor’s desire to retain rich, identifiable datasets for the full duration of the trial and our data protection obligations to minimise retention and ensure that participants can exercise their rights. We had a situation two years ago where a participant in a multi-site trial submitted a data subject access request mid-trial, and fulfilling it comprehensively would have required us to disclose to that person information held by three different data processors across two jurisdictions. Working out the choreography of that response — who held what, what could be disclosed without compromising trial integrity, what obligations the research exemption actually modified — took four weeks and involved our DPO, external counsel, and the trial sponsor’s legal team. That experience led directly to us redesigning our data mapping process for clinical studies.
Q: Data subject access requests for health data — you mentioned that. It’s an area many organisations still handle poorly. What does good look like?
A: Good looks like a process that takes the rights seriously rather than treating them as an adversarial inconvenience. I’ve seen organisations whose default DSAR response is to release as little as possible, to drag the process to the edge of the statutory deadline, to redact things that don’t need redacting. That approach is short-sighted and, frankly, it misses the point of what GDPR is trying to do. At Zenith, our target is to acknowledge every DSAR within 48 hours and to complete straightforward requests within two weeks rather than the statutory month — not because we’re trying to be heroes, but because a timely, complete response builds trust with patients in a way that matters commercially as well as ethically. The harder cases are where a patient is requesting their clinical records in the context of a complaint or potential litigation. There you have to be very careful, because you have obligations to the data subject but also professional duties around the accuracy of what you disclose and the context in which you disclose it. We involve our clinical governance team in those cases, not just the data protection team.
“People ask me what keeps me up at night, and the honest answer is: it’s not the big, obvious risks. It’s the quiet assumptions — the places where someone has decided that a particular data flow is fine because it always has been, and nobody has looked at it carefully in three years. Healthcare organisations accumulate data practices the way they accumulate medical equipment: things get installed, processes grow up around them, and then they just persist. My job is to keep asking whether each of those practices would survive scrutiny today, not just when they were set up.”
Q: Post-Brexit, the UK is operating under UK GDPR rather than EU GDPR. For a company like Zenith with operations in both the UK and the EU, what does that mean practically?
A: It means running two parallel compliance programmes that are closely related but not identical, and managing the points of divergence carefully. The UK GDPR adequacy decision from the EU — which allows personal data to flow from EU member states to the UK without additional transfer mechanisms — has been renewed, which gives us some stability. But it’s not unconditional, and it requires us to monitor ongoing UK regulatory divergence. The ICO has been moving toward a somewhat more risk-based, less prescriptive approach compared to the EDPB, which some organisations welcome and others find unsettling. I actually find it workable, but it requires more judgment and documentation — you can’t just point to a bright-line rule; you have to demonstrate that your risk assessment was reasonable. The more immediate practical issue is data transfers in the other direction: UK to EU. We have to use the EU’s standard contractual clauses for those transfers, and we’ve had to conduct transfer impact assessments for every material vendor relationship. That was a significant piece of work when we first did it, and it requires ongoing maintenance as the vendor landscape changes.
Q: Building a compliance culture with medical staff is notoriously difficult. Clinicians are trained to prioritise patient outcomes, and compliance can feel like it gets in the way. How do you approach that?
A: By accepting that they’re not entirely wrong. If a compliance requirement is genuinely getting in the way of good patient care, then the requirement — or rather the way we’ve implemented it — needs to be examined. I’ve had clinicians come to me frustrated with consent workflows that were adding minutes to already pressured consultations, and when I looked at what we’d built, I could see that we’d over-engineered the documentation process in a way that reflected legal caution rather than actual regulatory necessity. We simplified it, we didn’t lose any substantive protection, and we gained a lot of goodwill. The approach I try to take with clinical staff is to start from their concerns rather than from my framework. What are the situations where data handling feels difficult or unclear to you? What are the moments where you’re not sure whether you’re doing the right thing? If I can answer those questions in language that connects to how they think about their work — patient safety, professional duty, doing right by the person in front of them — then compliance becomes something they understand rather than something imposed on them from outside. We also have clinical compliance champions in each of our sites: senior clinicians who are interested in governance and who act as bridges between the compliance function and their peers. That peer influence is worth more than any mandatory training module I could design.