Author: Jim Walker, Contributing Editor, PharmaLeaders
Since launching in May 2018, the new General Data Protection Regulation (GDPR) has been forcing businesses in EU member countries to apply much more rigorous and systematic methods to handling personal customer data. GDPR has received especially high levels of attention due to the fact that potential fines for non-compliance have been set at 4% of global revenues, or 20 million euros, whichever is greater.
US businesses may be affected in the future as the global nature of many enterprises, combined with similar legislation such as the California Consumer Privacy Act (CCPA), signals that we are all entering a new era of customer data management and protection.
Those interested in the entire GDPR regulation will read almost one hundred pages; alternatively, you may dive into the various sections using an interactive guide to the GDPR. At a high level, there are four broad areas that the new regulations address.
- Customer Consent Is Required
- Explicit consent needs to be obtained from all customers who are entered into your database.
- Opt-in boxes have to be left unchecked. Opt-in by default is no longer permitted.
- Double opt-in is not explicitly required by GDPR but does provide 100% verification that consent has been obtained.
- Customers Own Their Data
- Customers have a right to their personal data.
- Companies must be able to provide customers with their data upon request.
- Customers Have the Right to Be Forgotten
- Customers have a right to remove all of their personal data.
- Companies (“controllers”) and their data suppliers (“processors”) must be able to entirely delete specific customer records.
- Customers Can Refuse Profiling
- Customers can request not to be profiled based on personal data.
- Customers can opt out of marketing campaigns based on data segmentation.
While the overall intent of the GDPR is very clear, it is like many high-level regulatory documents and is open to interpretation; thus, the details of implementation are still being worked out by security experts in the EU and around the world.
A recent ExL event in Philadelphia, GDPR Update for Global Organization, highlighted this process of interpretation, with several life science data security speakers noting that defining best practices under the new regulations will be an ongoing journey.
Jo Blyskal from Teva Pharmaceuticals chaired the event and stressed the need for patient-friendly data transparency and the importance of explaining to patients what is meant by informed consent. She also challenged life science companies to begin thinking about patient privacy issues from the initial IND submission.
In a similar fashion, Jeppe Manuel from Novo Nordisk described how his company is guided by a philosophy of “respectful use of personal data.” Manuel offered a detailed explanation regarding who holds responsibility under the new GDPR guidelines, whether your company is a “controller” (ultimately responsible for the customer relationship) or a “processor” (a firm tasked with managing and transferring customer data). He also encouraged companies to embed the GDPR regulations into their standard operating procedures, so that customer privacy and protection become as automated as possible.
Another notable presentation by Medtronic’s Igor Chechelnitsky focused on assembling the appropriate people, processes, and tools in order to provide the optimum levels of results on a cost-effective basis. Chechelnitsky also highlighted the importance for companies to create an internal working framework and gap analysis for privacy issues, even while the broader implications of GDPR are still being ironed out over time.
While there are clearly substantial costs involved in adhering to the new privacy regulations, several attendees pointed out that the increased rigor of analyzing their data capture and storage processes hold the potential to actually save money in the long term by optimizing and right-sizing their often-overlapping data technologies.
Moving forward, it’s likely that the impact of GDPR and similar legislation will touch almost every aspect of the life sciences pipeline. Marketers, in particular, will need to pay much greater attention to how they capture and retain customer data – both in the short and long term.