Are you GDPR ready? Three easy steps for a pro-active approach
The General Data Protection Regulation (“GDPR”) applies from 25 May 2018, and introduces a new set of rules relating to the collection, storage and processing of personal data. Pharmaceutical organisations should prepare for the Regulation in order to remain compliant.
Pharmaceutical organisations handle incredibly sensitive information: including customer data, patients’ details, and internal intelligence on research and market developments. At the same time, the industry is highly susceptible to data breaches. A UK government report identified the pharmaceutical sector as the number 1 target for cyber-criminals intent on stealing Intellectual Property (IP), estimating the cost of IP theft in the UK pharmaceutical and biotech sectors at £1.8bn per annum – more than any other sector. With the introduction of new legislation to regulate data protection in the European Union, data breaches may soon result in even greater significant legal and financial consequences for pharmaceutical organisations.
The General Data Protection Regulation (GDPR) will come into full effect on 25 May 2018, introducing a single set of rules across the European Union (EU). It applies equally across all member states. It repeals the Data Protection Directive 95/46/EC (“Directive”). The Directive was implemented into member state laws by domestic legislation and thus perceived not to be consistent across the EU.
Along with significantly increased penalties, the EU GDPR introduces more onerous compliance obligations. For instance, local regulators must be informed of personal data breaches without undue delay and where feasible, within 72 hours; where the personal data breach poses a high risk to the rights and freedoms of individuals, the data subject must also be informed without undue delay. Additionally, the definition of personal data is wider than that under the Directive.
GDPR not only applies to organisations based in the EU but may also apply to any organisation, within or outside the EU, which processes the personal data of EU subjects in the course of targeting them with offers of goods or services or where its processing their personal data consists of monitoring their behaviour
GDPR introduces greater penalties for non-compliance than those currently in force. For example, failure to comply with GDPR provisions relating to the rights of the data subject, those relating to transfer of personal data to third countries (those outside the EU) or international organisations may attract penalties of up to 20 million euros or 4 % of the non-complying organisation’s total worldwide annual turnover.
Pharmaceutical organisations must comply with the new Legal Framework
Given the massive ongoing changes in all things digital, there is clearly a technical and organisational challenge in complying with the legal framework on data protection in Europe.
At the same time, millions of records of personal data are lost or stolen every year. Indeed, a United Kingdom Government report found that two thirds of large businesses experienced a cyber-breach or attack in the last year. GDPR provides an impetus for businesses to tackle these issues head-on.
Compliance with GDPR poses a challenge to pharmaceutical organisations
However, regulatory compliance comes with a range of challenges: as noted above, a big challenge is the necessity to report a personal data breach to the supervisory authority and the short timeframe allowed to do so. Additionally, there is the requirement to inform the data subject of the breach. This is a significant new requirement
Three easy steps for a pro-active approach
As the introduction of GDPR draws steadily closer, pharmaceutical organisations will need to consider the steps they must take to comply with it.
For those only now addressing the challenge there are some clear initial steps to take. Thinking about the implementation of these steps now can help avoid financial pitfalls in the future.
1) UNDERSTAND YOUR ORGANISATION’S PERSONAL DATA UNIVERSE
Pharmaceutical organisations should take steps to gain a clear understanding of their personal data universe: for example, what categories of personal data does it collect; how and from whom it collects it, where the data is stored, what it does with it, who does it, the reasons for doing it, how long it keeps it and the reasons for keeping it or discarding it; and critically, how far these practices meet the pharmaceutical organisation’s forthcoming regulatory obligations under the GDPR and other legal requirements.
2) PLANNING AND COMMUNICATION
Planning and communication is the essence of a successful information governance strategy. Getting the key players (typically IT, legal, compliance, business, sales and HR departments who deal with personal data) talking to each other, and investing the time to build a data map – essentially a description of the pharmaceutical organisation’s data types, technical infrastructure and storage solutions - is an essential second step.
3) ONGOING VIGILANCE
It is not enough to adopt an irregular pattern of personal data monitoring. As a pharmaceutical organisation’s personal data landscape is continually shifting, mapping that landscape is an on-going requirement rather than a one-off exercise. A proactive and ongoing approach to information governance will ensure that corporations are ready to deal with future developments and shifts.
Privacy must become a core business program for pharmaceutical companies and pharmacies
The introduction of GDPR is expected to bring a significant increase in data protection enforcement across the EU. Privacy must now become a core business program for pharmaceutical organisations conducting business in the EU and planning for the challenges posed by GDPR should start now. With the right preparation, a pharmaceutical organisation will be able to reap the benefits of a strong regulatory framework which provides the incentive to develop technology and processes. Failure to plan heightens the risk of the pharmaceutical organisation breaching the GDPR and suffering the consequences: substantial damage to finances and reputation.
 UK Government/Detica Report, ‘The Cost of Cyber Crime’, http://www.infinigate.co.uk/fileadmin/user_upload/Vendors/Becrypt/ma7824_becrypt_one-pager_pharm_fa.pdf. 2013