The implications of GDPR on pharma and its relationship with healthcare professionals

On Friday 25 May a new European law, known as the General Data Protection Regulation (GDPR), will come into effect, changing the way that data is held and processed, and threatening heavy fines for non-compliance.

While GDPR has been in the offing for some time, the Direct Marketing Association (DMA) previously stated that approximately 30 percent  of its members did not think they would be able to meet the deadline for compliance.

For pharma companies that are fully compliant with the robust data protection laws currently in place, the changes they need to make for GDPR are likely to be minimal. However, significant challenges lie ahead for those with poor data management practices.

Why is GDPR being introduced?

Changes to the law generally result from dissatisfaction, or a plea for change from the masses. Transparency and the individual’s right to control how and where their personal data is used are central to GDPR. Consequently, companies that do not plan to respond to it have effectively stopped listening to their customers.

Over the years we’ve seen many organisations become overly reliant on email as a communication channel. Relatively low in cost, it reaches the masses, ticks the ‘communication sent’ box and gets some basic ‘stats’. But by operating in this way, some companies have lost sight of the end game. They’ve stopped being targeted and relevant and created apathy among audiences.

The basic marketing principle of ‘seven touchpoints’ to convert a prospect into a client is difficult to achieve through a single channel. It’s all about creating two-way conversations with the audience, developing a value exchange and taking prospects on a journey with a business.

GDPR is a timely reminder for pharma and other industries that it’s not about quantity reached, but quality engaged.  Maintaining the highest standards of data processing and management is a critical step on the road to achieving this type of engagement.

What will change under GDPR?

The responsibility for data protection compliance currently lies with the individual company that holds or uses the data, regardless of whether it purchased that data under licence from a supplier like Wilmington Healthcare, or generated it from its own list of contacts.

This will remain the same under GDPR. However, companies will also have to define the legal basis on which they are holding or using the data; the relevance of their product or service to an individual on the database and the purpose of their communications to that person.

Although companies will not be allowed to hold data on people unless it is relevant to their business, there is some leeway in terms of how they can justify an individual’s inclusion on a database under GDPR, since it allows companies to have multiple legal bases for holding or processing data for different purposes. These range from consent from the individual where applicable, to potentially a legal or public interest reason to provide certain information like regulatory updates based on the healthcare professional’s role as a prescriber.

A lot of pharma companies and data providers are processing healthcare professional data on the legal basis known as legitimate interest. Under GDPR, legitimate interest means an organisation has a reason to hold someone’s information on its database, but it hasn’t necessarily obtained their consent. In such circumstances, it is good practice to send out an information notice to the individual, informing them that they are on a particular database, why and for what purpose, and giving them an opportunity to opt out if they wish.

Is pharma ready for GDPR?

The current data protection regulations allow pharma to send educational, non-promotional and regulative communications direct to HCPs without their consent; while promotional emails must have consent. So, companies that are following the industry regulations to the letter and have well maintained and regularly updated databases are already close to being GDPR compliant.
However, data controllers or data processors who have tried to push the boundaries around use and purpose, or who have databases that have remained untouched for years, could find themselves in trouble with the regulator under GDPR, particularly if they continue to  contact an HCP who has asked to be removed from a list. This is because  GDPR takes a much harder line on non-compliance than the  current legislation.

Under the current legislation, companies are considered innocent until proven guilty, but with GDPR the reverse applies. There are also large on-the-spot fines for non-compliance of 20 million Euros or four percent of a company’s turnover, whichever is greater. While these measures are likely to be taken only in the event of a significant breach, pharma cannot afford to be complacent.

How can companies prepare for GDPR?

The biggest issue for pharma is ensuring that all of its data sources are joined up so that it has clear visibility of all its data. We recommend that companies conduct a data audit and profile their data to define how it is used for sales and marketing purposes. Companies must be prepared to be ruthless when it comes to deleting information that is not relevant to their purpose or business. They must also have a single point of access for their database.

The next step is to define the legal basis for processing data, e.g. consent, legitimate interest, vital interest, legal obligation or public task. Having done this, companies should then send out an information notice to its data subjects, informing them of the information held, legal basis, purpose  and how to opt-out.

Other important tasks to ensure compliance include defining the company’s data protection approach and its data protection policy. GDPR statements and processes should be documented and companies must produce a privacy impact assessment. If they are processing under legitimate interest, they must complete a legitimate assessment too, which defines their basis for processing under that definition using a necessity and balancing test.

It is important for companies to ensure they have a nominated data protection officer – in a smaller company this will be the CEO or equivalent. They must also brief and train their staff, so they are aware and aligned. This is absolutely vital to ensure compliance, and we are currently writing a training course to guide companies through the process.

On the issue of staff, the biggest data protection risk for pharma companies is sales representatives taking their own lists from databases. Restricting access to the database is, therefore, key to minimise a breach. To counter this, some companies are even writing rules on database use into employment contracts.

Companies should keep records of their approach to GDPR and how they have prepared for it. Pharma must also be prepared to respond in the event of an access request or complaint from a data subject, or with regards to a GDPR breach.
On an ongoing basis, good database management is absolutely essential. So, if, for example, an HCP has asked to be removed from a database, this must be recorded to ensure that person is not accidentally contacted again.

For those companies that have already worked to the highest standards of data protection, the changes required to comply with GDPR should be minimal. However, for those that have taken a more relaxed approach over the past few years, a sea change in attitude and processes is required to avoid breaches, fines or – worst-case scenario – business closure.

While the work required to comply with GDPR may seem arduous to some, we must not lose sight of the purpose of this new legislation. Ultimately, HCPs and other individuals want more control over their personal data. Respecting their rights in this regard is key to building deeper and more meaningful relationships with them; relationships that put quality ahead of quantity, and create genuine value for both parties.

Sarah Eglington is client services director at Wilmington Healthcare. For information on Wilmington Healthcare, log on to