Pharma playing catch-up as GDPR deadline nears
One month remains until Europe’s General Data Protection Regulation (GDPR) comes into force, affecting the way pharma uses people’s data, and there are concerns whether pharma is fully prepared.
GDPR will be enforced across Europe on May 25. The legislation, proposed by the European Commission, is designed to strengthen and unify data protection for individuals within the European Union (EU) and will also address the export of personal data outside the EU.
GDPR overhauls the Data Protection Directive put in place 20 years ago.
Pharma, like all businesses, has had two years to prepare for GDPR. Those who fail to comply will be penalised by having to pay fines – up to 4% of international turnover or 20 million euros, whichever is greater – and may also be made to pay compensation, depending on the scale of any infringement.
Sanctions include warnings and reprimands, bans on data processing, the restriction or deletion of data and other limits.
Clearly, in the pharma industry, there may be issues with damage to a company’s reputation as well as the loss of consumer trust if breaches occur. It is therefore imperative that pharma, with its reliance on patient-centric data when it comes to clinical trials, is stringent in its approach to implementing GDPR.
It’s vital to note that GDPR requires companies – wherever they are located – to gain the consent of all EU citizens whose data they intend to use.
Such requests must, in contrast to current standards, be explicit, easily accessible and clearly explain how an individual’s data will be processed. Any data that can be used to identify a person must be redacted.
Personal data – which can identify an individual – and sensitive data, such as genetic information, online identifiers and location data, are all covered by GDPR.
Consent will have to be specific, too, which may limit any secondary and retrospective uses of clinical data, as the person may not have provided specific agreement for the latter.
Also, individuals will need to be able to easily withdraw their consent after it has been given, so that they have what is known as ‘the right to be forgotten’.
This could cause problems, as data is often used by numerous stakeholders, such as researchers, hospitals and contract research organisations (CROs), and retracting it will undoubtedly be challenging on a global scale.
All of the above means that pharma must treat privacy as a top priority if it is to avoid financial penalties and the loss of consumer confidence.
Mark Thompson, global privacy lead at KPMG, said that the biggest challenge for large pharma companies will be the cultural change, particularly those that are adapting to new business models that put data at the centre of what they do.
He told the website diginomica that pharma companies do not interact with patients, and will often not know the patients that have been prescribed with their drugs.
But the shift towards digital products will force them to become more proactive because of the demands of the legislation, he said.
Thompson said: “(Pharma is) starting to move to digital products, where they take a pill and this provides a reading to an app on your phone telling you your sugar levels, for example.”
“That data has to go somewhere and primarily it goes back to the pharmaceutical. So the shift in business is changing the way that organisations that didn’t use to interact, are now starting to interact with very significant volumes of data. And they’re just not culturally programmed in the way to focus on that and manage that.”
Don't miss your daily pharmaphorum news.
SUBSCRIBE free here.