Hello, my name is Rahul Kallampunathil. I am the Vice President of Digital Risk and Emerging Technologies at Arbour Group. To give context to our discussion of Data Privacy and General Data Protection Regulation (GDPR) Compliance, we must review the Life Sciences industry.
Life Sciences in a Regulatory Environment
The Life Sciences industry includes pharmaceutical, biotechnology, medical devices, providers, and payers. Pharmaceuticals are responsible for the small molecule drugs and vaccines, while large molecule drugs and vaccines are covered by biotechnology. Diagnostics, monitoring devices, and software as a medical device are part of a whole suite of medical devices. Providers include physicians and healthcare providers. Payers are insurance companies and similar organizations.
The life sciences industry produces products intended to treat animal and human health conditions regulated in the US by the Food and Drug Administration (FDA). Similarly, in Europe, these products are regulated by the European Medicines Agency (EMA). There are multiple different regulators in different countries. A product can be a drug or a medical device. The objective of regulators is to ensure patient safety, product quality, and data integrity. There are increasing privacy and data protection regulations that impact the Life Sciences industry in the last ten years. More recently, in the last few years, GDPR has come into effect, also increasing the focus on privacy.
Life Sciences Industry Trends
Economically, global health care spending is projected to exceed $10 trillion by 2022. It is being driven by increased access to medicines because of new pricing policies around the world. This is relevant in the developing world, where more people can afford better healthcare. Healthcare cost is also driven by increased life expectancy and an increase in non-communicable diseases (NCDs). Novel therapies and Biotechnology products are expected to contribute more to overall sales than traditional drugs and medical devices. Next-generation technology startups and large technology companies continue to threaten the status quo and bring in new products.
From a regulatory outlook across the globe, regulators have acknowledged the impact and pace of change brought in by newer technologies but are struggling to keep up with the industry. The main driver is the volume of data stored in electronic form that has increased exponentially over the last decade, increasing privacy concerns both from regulators and society. An increased volume of data is stored across multiple platforms and further increases risk. There are multiple privacy regulations at different geographic levels (International, Federal, and State) that create a complex compliance environment. From a regulatory outlook, compliance can be very complex. Regulators benefit from more collaborative approaches, such as co-regulation, self-regulation, self-audits, and international coordination. Coordination between the EMA and the FDA is an example.
Regulatory Background of Privacy
The volume and value of data collected are growing exponentially, driven by the growth of technology and storing massive volumes of data at increasingly lower costs. Because data storage costs are dropping, the capacity is increasing. Data provides businesses with a competitive advantage but also introduces compliance risks. Businesses face increasing pressure from the regulators and society to secure and protect personal data and use it only legally and ethically. Organizations that collect or use data need to develop a comprehensive program to manage data privacy and improve how they collect, use, store, and delete personal information.
Regulatory Landscapes
There are numerous laws enacted at the federal and state level in the United States to protect US residents' privacy. The Privacy Act of 1974 determines a code of fair information practices that govern the collection, maintenance, use, and dissemination of data about individuals maintained in federal agencies' systems of records. There are sector-specific regulations such as Gramm–Leach–Bliley Act (GLBA) for financial institutions. There are various state-level regulations like the NY Privacy Act. Even though the General Data Protection Regulation (GDPR) is meant for the EU, the regulation brings into scope companies that do business with the EU; even a US company with EU subjects' data comes in scope with GDPR. There are various other data protection laws in other countries, such as the Data Protection Act 2018 in the United Kingdom. As time progresses, states will have more regulations regarding data privacy.
Common Theme of US Privacy Regulations
The scope includes being regulated by geographical location, size, annual revenue, and business nature. Who is protected by the regulation may be determined by defined residents or specific sub-sections (patients or children). Each regulation defines what information is protected. A Privacy Notice is usually given to comply with these regulations to ensure that subjects know what the regulations state regarding privacy. Security aspects are how you protect privacy. Breach procedure notifications cover how companies are expected to respond when a breach occurs, who gets notified, and how much time is given for each notification. Certain regulations define the Data Subject Rights of an individual. For example, the right to opt-out or the right to be forgotten. This is common when unsubscribing emails. Penalties cover the fines and other punitive actions taken by the regulators depending on the type of offense.
General Data Protection Regulation (GDPR)
The previous EU Data Protection Directive only applied to organizations with a presence or use equipment in the EU and defined as data controllers. The General Data Protection Regulation (GDPR) is wider in scope and applies directly to any active organization in Europe that needs to comply with GDPR. This includes organizations without EU establishment but are directing goods and services to people in the EW or are monitoring their data. For example, a US company with no establishment in Europe but directs products' marketing to customers based in the EU needs to comply with the GDPR.
General Data Protection Regulation (GDPR) Potential Risks
Reputational Risk is when non-compliance with the GDPR might result in brand damage, loss of consumer confidence, loss of employer trust, and customer attrition. Operational Risk is when individuals may impose data processing bans, suspend data transfers, and order the correction of an infringement, resulting in restricted EU operations and invalidated data transfer. Financial Risk resulting from non-compliance, fines of up 4% of the total worldwide annual turnover of the previous financial year may be enforced. Also, companies may face a loss of revenue, as well as high litigation and remediation expenses. Regulatory Risk Regulators may also necessitate providing information, conducting audits, and obtaining access to premises.
Personal Data in General Data Protection Regulation (GDPR)
A key part of understanding GDPR is also comprehending how personal data is determined. The definition of personal data in the data protection directive is broad and includes virtually any information that may have allowed the identification of a person. The GDPR aims to explain the types of data under the definition, including location data and online identifiers. Furthermore, the regulation adds genetic data and biometric data to the catalog of data considered sensitive, requiring special measures and increased protection.
The EU Data Protection Directive permitted the use of personal data in limited circumstances with individual consent. With GDPR, it must be proven that the person giving consent is known of the risks and has decided to accept or reject. The GDPR makes consent much more difficult to obtain and prove, forcing organizations to re-examine how they collect and use personal data.
Proving General Data Protection Regulation (GDPR) Compliance
Organizations need to prove they are complying with GDPR by producing evidence to support how they are complying. Paperwork documentation is needed of what personal data is used by the organization and how. Organizations must document privacy risk assessments and privacy audits, demonstrating where activity poses a specific privacy risk. Not doing this and not having documented evidence of this is considered not complying with GDPR. Examples of activities that pose a specific privacy risk are profiling, managing sensitive personal data, biometric data, and CCTV monitoring on a significant scale.
The paperwork required is a challenge for some organizations as it could be a failure merely not to have the necessary evidence. Regulators will have the power to audit organizations to verify compliance with the law, and their first inquiry will undoubtedly be about the paperwork.
General Data Protection Regulation (GDPR) Breach Procedures
Organizations are required to report contraventions of the law to the regulators and the people involved. Public disclosure of failure is likely to increase regulatory sanctions and compensation claims, as well as causing damage to brand and reputation.
Organizations need to report incidents within 72 hours and need to provide the following information:
- The nature of the incidents
- The categories and number of people affected, and the categories and number of records concerned
- Details of the Data Protection Officer or contact point
- Likely consequences of the breach
- Measures taken and will be taken
- Steps to mitigate the impact of the incident
General Data Protection Regulation (GDPR) Dedicated Roles
Senior management is responsible for establishing a GDPR compliance program. It is common for organizations to have a dedicated Data Protection Officer (DPO) to help satisfy the onerous provisions of the GDPR. Organizations should be compelled to appoint a DPO if one of the following conditions applies:
- The organization is a public authority
- Part of the organization's core activity requires regular monitoring of individuals
- Part of the organization's core activities require large-scale processing of sensitive personal data
The DPO is responsible for ensuring that an organization gets data protection compliance right. To carry out this task to the greatest standard, the DPO must carry out the role independently, without conflict of interest or any instructions regarding the exercise of their function.
The DPO's role includes informing and advising the organization of its requirements under the GDPR, monitoring compliance and requirements relating to privacy by design, privacy impact assessments, data security reviews, and individuals' rights. The DPO acts as a contact for the regulatory authority and must cooperate at the authority's request. Many organizations find that a dedicated DPO is a useful way to establish their inclination to engage with data protection activity and take privacy seriously.
General Data Protection Regulation (GDPR) Technical Controls
The EU Data Protection Directive and the General Data Protection Regulation (GDPR) impose obligations regarding personal data, defined as data relating to an identified or identifiable person. Once the data has been identified and classified by risk level, different technical controls can be put in place to protect user data. If personal data is manipulated so that the individuals can no longer be identified from the data, and it is irreversibly anonymized, it is not subject to the provisions of the GDPR.
Full anonymization of data is very difficult to achieve in practice, but there is a good half-way solution between personal data and anonymous data, which is pseudonymous data. Data that falls into this grouping is subject to less severe restrictions than personal data and is referred to as pseudonymized data or "shadow data," which is defined by GDPR as: "the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information." A thorough analysis is needed to consider how full data encryption affects system performance. Not taking any data protections exposes the whole system to risk. Risk analysis and cost analysis helps determine which data needs to be protected by technical controls, including security and access controls.
Cross Border Transfers
Organizations are still able to send personal data outside of the EU, where the European Commission has regarded that there is an adequate level of protection for the citizens' rights. There are several grounds that entities can trust upon, such as contractual permissions and consents from parties. Additionally, the European Commission has implemented decisions approving other methods for transfers of personal data, including Binding Corporate Rules and Model Contractual Clauses. The Court of Justice of the EU has ruled the mechanism following from a European Commission decision called Safe Harbor is invalid.
The Safe Harbor Decision has been one of the main legal mechanisms for transferring personal data from Europe to the US for the past 15 years. Now that the ruling has been declared invalid, it cannot be used to render these transfers of personal data lawful. The other transfer mechanisms are now arguably vulnerable to the same kind of challenges the Safe Harbor Decision faces, although they currently remain perfectly valid.
Right now, there is no standard framework to demonstrate compliance. Most entities transferring personal data to the United States rely on substantial protections in their organizations for data protection and privacy, using governance frameworks, policy frameworks, privacy, security controls, and measures. It would be wise for entities to detect those protections, so they have answers on hand if contested. Businesses should also contemplate conducting reviews of their supply chains and understand whether those whom they rely upon are themselves reliant on Safe Harbor. Putting in place methods to monitor complaints and inquiries about data transfers should be considered a top priority. For any auditor that looks at the company, the organization can justify the steps taken to comply with GDPR.
Arbour's General Data Protection Regulation (GDPR) Compliance Approach
Arbour Group's GDPR compliance approach includes a GDPR Workshop, where we assist with data inventory. Arbour conducts a GDPR Gap Assessment to assess gaps in current GDPR compliance. GDPR Implementation addresses the gaps and mitigates the risks involved with compliance. Ongoing monitoring is performed to maintain compliance as new data comes in, and new computer systems are added. It needs to be constantly monitored quarterly or as new systems are being implemented. Ongoing monitoring is essential to the GDPR compliance program.
From a GDPR Compliance Approach, there are key areas that need to be covered. Strategy & Governance, Individual Rights Processing, Policy Management, and Training and Awareness are essential when addressing GDPR compliance. Data Lifecycle Management covers the data inventory and mapping of data collection, data use, and data discarding. A Cross Border Data Transfer strategy should be determined. Privacy is not compliant with simply adding technical controls. There must be Privacy by Design (PbD) to identify risks and ensure better privacy. Privacy Incident Management covers data breach response strategy and processes. Data Processor Accountability of business partner risk management and third parties maintains due diligence of procedures and measures. Information Security is an essential security risk framework to reach compliance and protect data.
General Data Protection Regulation (GDPR) Key Roles and Stakeholders
In a typical GDPR compliance approach, the most important role is the Data Protection Officer (DPO), who is overall in charge of identifying the GDPR requirements, Privacy by Design (PbD), helping consumers notice and transparency, and conduct Privacy Impacts Assessments (PIAs). IT plays an important role as a good portion of data involves an organization's system, involving data storage and data protection. CIO and CISO need to determine what investments will be made to provide GDPR compliance and the skillsets they need to acquire to maintain compliance. Marketing collects customer data and therefore needs to be familiar with the processes and privacies of collecting personal data. Human Resource involvement in training means maintaining adequate training of employees on privacy. Legal may interact with regulatory authorities and contracts that affect data privacy. Customer service and operations may be tasked to implement strategies and systems for customer and employee rights of access and remediation compliance.
If you would like to learn more about Arbour Group's General Data Protection Regulation (GDPR) compliance approach, contact us today to learn more.