With the enforcement deadline of May 25 rapidly approaching, many life sciences companies will have already come to realise that GDPR compliance is not simply a legal problem or an IT project, but an enterprise-wide issue requiring a robust and comprehensive approach.
Here, I explain some of the steps pharma organisations can take towards GDPR readiness and why we consider the new regulation to be a positive catalyst for change.
Understanding the responsibilities
Determining the extent to which an organisation could be subject to obligations is the first step. That requires organisations to define their role as either a data controller or a data processor – or both, which is often the case. Like many companies, Veeva acts as both a data controller and a data processor.
Under the GDPR, the controller determines the purpose and means of processing personal data, while the processor is responsible for processing personal data on behalf of the controller in accordance with its instructions. Processors now must maintain records of personal data and processing activity, and they have liability for data breaches. Controllers must ensure their contracts with processors include all of the cooperation obligations.
Moving towards certification
As a cloud provider, we ensure the same privacy and security controls for all customers. Historically, privacy came under the umbrella of our global information officer, David Tsao, based in California. However, a fundamental turning point in our GDPR journey was appointing a dedicated data protection officer (DPO). Under the GDPR, a DPO is mandatory for any entity involved in processing data on a large scale. Not to mention, it is a business imperative and common sense to have a single point of contact to oversee privacy.
I was appointed global DPO in 2015, and began to set out a roadmap to leverage our existing privacy and security controls in order to elevate Veeva’s role as a data controller and processor and trusted partner to the life sciences industry.
Building the Foundation
To bring privacy to the next level, it is essential to bring a critical mass of dedication to the GDPR. Organisations could benefit from creating a network of privacy champions made up of individuals in leadership roles whose jobs demand deeper understanding and knowledge of data protection, or who demonstrate strong understanding of the regulations.
The true measure of GDPR compliance is whether it permeates the culture at every level, not only from a top-down mandate of the DPO or the legal team. It is key to communicate both the intricacies and the impact of the GDPR to employees and customers in a way that makes sense to them. Once individuals think about how they use personal data – and, indeed, how their own data is used – a shift towards individual responsibility and accountability emerges. With our Veeva privacy champions group and a "train the trainer" approach, we are already seeing this cultural shift.
Signing on the dotted line
The GDPR stipulates that there must be a contract in writing between the controller and processor which clearly sets out the subject matter of the processing and its duration, as well as the nature and purposes of processing, the types of personal data, any particularly special categories of data, and the obligations and rights of both parties. Failure to have a suitable data processing agreement (DPA) in place is a breach of the law under the GDPR. So, organisations should invest time working closely with stakeholders to make sure they are aligned with the required documentation.
Embracing the future
Throughout the prolonged effort, we have sought to focus on the positive aspects of preparing for the GDPR. Our mission – to build the industry cloud for life sciences – is bound by a data-centric approach. Already, we can see a much deeper level of transparency with our customers and those whom they ultimately serve – patients who need life-saving and life-prolonging medicines.
Ultimately, transparency promotes trust – and creating trust is valuable on so many levels across the data life cycle. To benefit from optimal care, patients need to trust that their healthcare professionals have the most accurate and up-to-date details about treatments they receive. Healthcare professionals need to feel confident that life sciences companies will treat their information in a fair and responsible way.
Ashley Slavik is global data protection officer at Veeva