Getting a handle on GDPR — what should you be aware of to be compliant?
As the General Data Protection Regulation (GDPR) take effect this month, Mark Stevens, managing director, Formpipe Life Science, looks at the key differences companies should be aware of and how they can attain compliance.
GDPR is the outcome of many years of negotiation aimed at harmonising the EU countries’ approach to data protection issues and is scheduled to take effect in all member states on 25 May 2018. The consequences of failing to comply won’t begin and end with a fine but will risk the reputation of non-compliant organisations.
The fundamental principles tackled by GDPR are not new, it simply strengthens existing legislation protecting individuals and their personal data. The five key differences relate to:
1. The appointment of a data protection officer. This will become mandatory for qualifying organisations.
2. Breach notification. GDPR requires a data controller to notify the Information Commissioner’s Office (ICO) without undue delay, and not later than 72 hours after becoming aware of a data security breach.
3. Data protection by design/by default. Organisations need to consider data protection compliance when implementing new processes or methods of handling data.
4. Changes to the use of consent. Consent has never been the only justification for processing data lawfully but is a common one. With GDPR, it will be a condition that is undoubtedly harder to get right.
5.Changes in sanctions. Fines for non-compliance have been replaced and sanctions re-categorised into two tiers. The first is for violations relating to internal record-keeping, data processor contracts, data security and breach notification, data protection officers and data protection by design and default. These will carry a fine of up to two percent of annual worldwide turnover or €10 million, whichever is greater. The second tier will cover violations relating to breaches of the data protection principles, conditions for consent, data subjects’ rights and international data transfers. The penalty will be up to four percent of annual worldwide turnover or €20 million, whichever is greater.
Safeguarding data integrity and demonstrating compliance with an array of legislation is second nature to most pharmaceutical organisations, yet GDPR still represents somewhat of a game changer for the sector.
A cultural shift
The introduction of GDPR represents a wider cultural shift in the way we view personal data. Legislation is mirroring ever-increasing consumer demands, and regulators are keen to adopt a more holistic approach to data management and information governance.
The DPA was introduced in 1998, with the Internet in its infancy and smartphones a futuristic concept. People now view data as their possession, and GDPR reinforces this sense of individual ownership; raising the risk profile of data management within organisations and acting as a catalyst to expand responsibility beyond the compliance department.
GDPR gives the ICO powers on par with super regulators like the Financial Conduct Authority and Competitions and Markets Authority. Any organisation that controls or processes personal data is required to comply with GDPR.
Most pharmaceutical businesses will have transferable frameworks and resources that can be adapted to comply with the legislation. This doesn’t mean it’s not a daunting feat.
Getting your house in order
The ICO advocates a 12-step programme to achieve GDPR compliance best practice.1
First is awareness: GDPR impacts every aspect of an organisation, so it’s important all stakeholders understand its significance and feel empowered to help safeguard compliance. Once a culture of awareness and accountability is in place, understanding where personal data came from and what it’s used for are logical next steps.
Re-evaluating processes in light of GDPR, from how privacy information is communicated to how personal data is deleted, should be prioritised. Existing breach-reporting protocols need to be a key area of focus too, alongside reviewing current privacy notices and checking processes and procedures against the new rights of individuals.
Subject access requests also need to be carefully considered. Technology has a key role to play in this, with adding or adapting systems essential to staying on the right side of regulators.
Once you’ve established your business has a lawful basis for processing personal data, findings need to be documented and, where necessary, privacy notices updated or created explaining the extent of personal data processing and justification for it.
Reviewing how consent is obtained, recorded and managed, as well as documenting any changes, should be prioritised by pharmaceutical organisations. The personal data of children deserves extra consideration.
Other considerations the ICO highlights include complications for businesses operating in more than one EU member state, which are required to determine the appropriate lead data protection supervisory authority.
Translating theory into practice
On top of general changes that need to be introduced by data controllers and data processors, there are several sector-specific considerations for pharmaceutical firms. For instance, with pharmaceutical businesses typically operating in chains with multiple touch-points involved in the creation and management of a drug portfolio, it’s essential to know who owns this information.
There is no precedent, but responsibility at each stage will presumably remain with the data controller. There will be arguments on both sides, but the only certainty is that no one will want to pick up the bill for non-compliance.
Putting effective contracts in place will help define responsibility and practical activity, thus becoming increasingly important under GDPR.
Clinical trial organisations that come into direct contact with individuals and those individuals’ personal data will need to manage this data to ensure it is being used with maximum effect, whilst also ensuring GDPR compliance. In practice, these organisations will already be acting in a compliant way to meet DPA regulations. However, the introduction of tougher legislation represents an opportunity for firms to embrace more robust, electronic and efficient solutions.
Don’t pull the panic cord
Whatever organisations are currently doing, time is officially up. GDPR is here and it’s here to stay. If they haven’t already, data controllers should be auditing existing processes and systems to check compatibility with the intricacies of the new laws and, if needs be, investing in the resources required to rectify any shortcomings.
Big change brings uncertainty, and this has the potential to breed panic. This may cause businesses to make rash, ill-informed decisions or assume that all problems can be fixed by implementing new software, processes and/or procedures. Although well intentioned, this will provide a short-term fix at best and prove a costly mistake should the new systems be deemed inappropriate by GDPR auditors.
Relieving some of the immediate pressures of GDPR can be achieved by retiring inadequate, legacy technology into cloud-based, archive — or preservation — systems. This is a cost-effective solution that takes data from one system and houses it safely and compliantly, while replacement systems are thoroughly investigated, data categorised and informed purchasing decisions made.
Understanding how historical data needs to be preserved to support compliance best practice in relation to multiple sets of legislation is therefore crucial to reach sensible and controlled decisions.
Reference: