The pharmaceutical industry is woefully at risk for not being prepared in time for the EU’s coming General Data Protection Regulation (GDPR). This includes pharmaceutical companies themselves, contract research organizations (CRO), and software vendors. Even medical companies who may be compliant with the Health Insurance Portability and Accountability Act (HIPAA) don’t automatically fall in line with the GDPR. The penalties for violation of the GDPR are heavy and can have a significant impact on a company’s bottom line. When the GDPR goes into effect on May 2018, this could cause significant disruption to the pharmaceutical industry.
What is the GDPR?
The GDPR is a replacement cyber security regulation. The law will be replacing the 1997 Data Protection Directive (“Directive”). The Directive is now 20 years old and much has changed in the cyber threat landscape, as well as definitions of data and data ownership since then. The GDPR is seeking to meet the current realities technologically and politically. The most critical parts of the GDPR are as follows:
The GDPR is actually a global law due to how integrated markets are with the EU region. The legislation is citizen focused and protects EU citizen data. If a company wants to earn the money of EU citizens, then they must comply with the GDPR regardless of where they’re in the world.
The GDPR penalizes violators on a sliding scale to ensure they feel the impact of the violation. If a company violates a chapter of the regulation, they will face a fine of 4% of global revenue.
Rights of Data Subjects
Data subjects are the EU citizens that this regulation is intended to protect. They have the following rights: right to data portability, right to rectification, right to erasure, right to restriction of data processing, and the right to deny automated processing.
Data Protection Officers
Companies that meet certain specifications in the coming law are required to have a Data Protection Officer whose role is to ensure compliance is met and the data of EU citizens is secure.
Companies are required to report breaches within 72 hours. There are exceptions to this rule depending on certain contexts; but this is the default rule.
Roots of Issue in Pharmaceutical Industry
The pharmaceutical industry relies on clinical data that is often shared between a variety of organizations in an effort to produce new products. Patient data collected with a electronic case report form (eCRF) can be anonymized automatically at the point of collection. Data collected via this method is not the concern for the industry. Instead it is non-CRF data which includes specialized data that comes from specialists or laboratories. Clinical research value chains are often complex and involve several organizations that cross many countries. With ownership of data in the hands the everyday EU citizen there is some disruption that may happen when one decides to deny automated processing, restrict processing, erase or even deny use outright of their data. If one of the rights are enforce mid stream, it would require the coordination of hospitals, product developers, software vendors, and CROs, in order to handle the situation while remaining in compliance and minimizing disruption to operations.
Handling EU citizen data requests wouldn’t be a problem, but it’s mainly because the pharmaceutical industry is not even at the stage of collective discussion about the law. With implementation only 8 months away this is very troubling.
The GDPR also presents some regulatory conflicts for the pharmaceutical industry. Many federal regulations in several countries require clinical research organizations to keep data in the event of an audit trial. However, the GDPR permits EU citizens to the right to be forgotten which generates a serious regulatory conflict and a lose -lose scenario for organizations in the pharmaceutical industry. This also demonstrates the rift in thinking regarding data ownership. In the EU, the perspective is that the individual is the owner of their data; however, in countries like the United States companies have the stronger ownership case. This results in a conflict of policy development that will cause wider disruptions to clinical research value creation chains.
This is just the beginning for pharmaceutical companies, but there seems to be a lack of urgency to act on meeting the requirements for this policy. Part of it may be that the industry is underestimating how much coordination they will all require and that meeting compliance will require several companies working together. Until then, the fines may be the wake up call needed to get the industry into action.