© 2019 PNG Publishing

Follow us on twitter:

  • Black Twitter Icon

A New Era in Consumer

Data Protection:

Understanding the Implications

of the GDPR and CCPA for the Biopharmaceutical Industry

The California State Legislature passed, and Governor Jerry Brown signed, the California Consumer Protection Act (CCPA) into law, which also has important implications for Biopharma companies operating in North America.

JUNE 28th, 2018

MAY 25th, 2018

The EU’s GDPR came into effect, changing the data regulatory environment for biopharmaceutical companies the world over by offering strict guidance on integrity, use and procurement of personal data.

“With the previous EU Data Protection Directive of 1995, legal responsibility rested primarily on the data controller, but the GDPR stipulates shared responsibility between the controller and the processor,” says Slavik. “Under the GDPR, the controller determines the purpose and means of processing personal data, while the processor is responsible for processing personal data on behalf of the controller in accordance with its instructions”.

Processors, Slavik continues, now must maintain records of personal data and processing activity, and they have liability for data breaches. Controllers must ensure contracts with processors include all of the cooperation obligations. Most companies may act as both a processor (if they provide a service) and a controller (for their employee and customer data for example). 

“It is crucial to understand the definitions and the corresponding obligations in order to properly assess your organization’s ultimate responsibilities and develop your compliance roadmap,” said Slavik.

In addition to these changes, the GDPR stipulates a clearer but more stringent definition of consent.  Where consent is relied upon as grounds for processing personal data, it must be clear that the data subject understood and freely agreed to provide such consent.  Under Article 4 of the GDPR, consent must be a “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”  

“Consent under the GDPR,” said Gold, “requires a positive opt-in; pre-checked boxes are not sufficient. Consent language also needs to be kept separate from and cannot be buried under other terms and conditions.  In addition, Article 7 of the GDPR requires that data subjects be able to withdraw their consent at any time – and that it is as easy to withdraw consent as it is to give consent.

With the GDPR in full effect, more and more companies have established the role of a Data Protection Officer (DPO). Specifically, the GDPR states that a company acting as a data controller or a processor shall designate a DPO in any case where the core activities consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale, or processing special categories of data on a large scale. Additionally, it is both a business imperative and common sense to have a single point of contact to oversee privacy. 

“Any biopharma working with personal data would be well served to have a DPO,” says Slavik. “The DPO must be qualified with an expert knowledge of data protection law and practices and have the ability to fulfill the following tasks using a risk based approach: 1) inform, advise, and monitor compliance with the requirements of the GDPR through policies (such as a Data Protection Impact Assessment (DPIA)), procedures, training, and audits and 2) act as the point of contact for supervisory authorities and data subjects.”

The GDPR provides strict guidance on the integrity, use and procurement of personal data. The implications for biopharma companies are manifold, as personal data infuses a wide variety of areas in which they practice. Clinical research is primarily concerned with highly sensitive personal data. Beyond this, post-marketing activities, advertising, patient outreach, safety reporting and numerous other areas which biopharma companies operate deal with personal data and will be profoundly impacted by the new regulatory environment.

2018 has been a watershed year when it comes to the regulation of consumer data privacy in the biopharmaceutical industry. On May 25th, the European Union’s General Data Regulation (GDPR) officially took effect. Little more than a month later, on June 28th, the California State Legislature passed, and Governor Jerry Brown signed into law, the California Consumer Protection Act (CCPA). Both have significant implications for biopharma companies and mark a new era in consumer privacy.

The GDPR transforms EU law as it relates to data protection and privacy for individuals. It was passed into law on April 14th, 2016 and organizations across the business spectrum were given two years to prepare for its official implementation. While the law primarily focuses on data protection for individuals in the EU and European Economic Area, it also contains provisions on the export of personal data outside of these regions. As a result, every organization that does business in the EU is impacted by the law.

The GDPR provides strict guidance on the integrity, use and procurement of personal data. The implications for biopharma companies are manifold, as personal data infuses a wide variety of areas in which they practice. Clinical research is primarily concerned with highly-sensitive personal data. Beyond this, post-marketing activities, advertising, patient outreach, safety reporting and numerous other areas which biopharma companies operate deal with personal data and will be profoundly impacted by the new regulatory environment.

“Personal data is crucial to the pharmaceutical industry’s research and development of drugs and therapies,” said Kimberly Gold, a partner at the Law firm ReedSmith. “The pharmaceutical industry also uses personal data for the purposes of marketing to healthcare provider customers and patients, collecting and reporting of adverse events, and recruiting and managing personnel”. 

“GDPR compliance is not simply a legal problem or an IT project, but an enterprise-wide issue requiring a robust and comprehensive approach,” says Ashley Slavik, the Senior Counsel and Global Data Protection Officer at Veeva. “This understanding requires setting the tone from the top, executive buy-in, and resources.”

Pharmaceutical companies need to develop internal policies and procedures for GDPR compliance that can be operationalized and complied with. Gold emphasizes that it is not enough to develop a set of GDPR policies and procedures – but rather they must be suitable for the organization’s culture and structure – as well as easily understood by employees. 

 Personnel with exposure to personal data must also be trained on GDPR compliance – this is a key aspect of ensuring that an organization meets GDPR requirements.   

Recently a movement in the industry to partner with organizations that can provide de-identified or anonymized data for use in research and development has emerged. This anonymized information is typically not considered personal data and therefore is not subject to data protection laws like the GDPR.

Even as these partnerships proliferate, the use of consumer data covered by GDPR regulations is inescapable. One of the key distinctions that has been emphasized by GDPR regulations is the difference between a data controller and a data processor.

“With the previous EU Data Protection Directive of 1995, legal responsibility rested primarily on the data controller, but the GDPR stipulates shared responsibility between the controller and the processor,” says Slavik. “Under the GDPR, the controller determines the purpose and means of processing personal data, while the processor is responsible for processing personal data on behalf of the controller in accordance with its instructions”.

Processors, Slavik continues, now must maintain records of personal data and processing activity, and they have liability for data breaches. Controllers must ensure contracts with processors include all of the cooperation obligations. Most companies may act as both a processor (if they provide a service) and a controller (for their employee and customer data for example). 

“It is crucial to understand the definitions and the corresponding obligations in order to properly assess your organization’s ultimate responsibilities and develop your compliance roadmap,” said Slavik.

In addition to these changes, the GDPR stipulates a clearer but more stringent definition of consent.  Where consent is relied upon as grounds for processing personal data, it must be clear that the data subject understood and freely agreed to provide such consent.  Under Article 4 of the GDPR, consent must be a “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”  

“Consent under the GDPR,” said Gold, “requires a positive opt-in; pre-checked boxes are not sufficient. Consent language also needs to be kept separate from and cannot be buried under other terms and conditions.  In addition, Article 7 of the GDPR requires that data subjects be able to withdraw their consent at any time – and that it is as easy to withdraw consent as it is to give consent.

With the GDPR in full effect, more and more companies have established the role of a Data Protection Officer (DPO). Specifically, the GDPR states that a company acting as a data controller or a processor shall designate a DPO in any case where the core activities consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale, or processing special categories of data on a large scale. Additionally, it is both a business imperative and common sense to have a single point of contact to oversee privacy. 

“Any biopharma working with personal data would be well served to have a DPO,” says Slavik. “The DPO must be qualified with an expert knowledge of data protection law and practices and have the ability to fulfill the following tasks using a risk based approach: 1) inform, advise, and monitor compliance with the requirements of the GDPR through policies (such as a Data Protection Impact Assessment (DPIA)), procedures, training, and audits and 2) act as the point of contact for supervisory authorities and data subjects.”

If you found this content valuable, please consider subscribing to Rx Data News to receive monthly updates on the state of data analytics and machine learning in the pharmaceutical industry.