In just under five months, the European Union’s data protection laws will undergo their most dramatic changes in twenty years. The new General Data Protection Regulation (GDPR) aims to give control back to EU citizens and residents, and sets out to reshape how businesses process and handle personal data. Complying with these new regulations by the May 2018 deadline couldn’t be more important for the life science sector, where the processing of huge amounts of personal data will make companies vulnerable to non-compliance penalties of up to €20 million, or four per cent of annual worldwide turnover (whichever is higher).
But GDPR has been dubbed “the big elephant in the boardroom,” with many life science organisations still uncertain about what the changes mean for them, or even how to ensure compliance. To get you up to speed, we’ve put together an overview below, including some key resources and steps you can take to ensure you’re compliant well before the deadline hits.
What is the General Data Protection Regulation (GDPR)?
GDPR is the EU’s new framework for data protection rules, which will replace the previous 1995 Data Protection Directive (95/46/EC). Having been mutually agreed upon by the European Parliament, the Council of the European Union, and the European Commission back in April 2016, it is due to be enforced on 25th May 2018. After this date, serious breaches to the regulations will bring significant financial penalties.
According to the EU’s GDPR Portal, which features a handy clock counting down to the impending deadline, the new regulations are “designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens’ data privacy, and to reshape the way organisations across the region approach data privacy”.
GDPR applies to both automated- and manually-filed personal data, which is defined as any information relating to an identifiable person, including sensitive personal data such as genetic and biometric data—which many life science companies commonly handle and process.
GDPR mostly concerns those personnel responsible for data protection and processing management. This includes setting out clearer responsibilities and obligations on data controllers (those in charge of how and why personal data is processed) and data processors (those acting on behalf of the controller to process the data). For example, in clinical trials, the data controller will be the company sponsoring the trials.
What are the key changes to EU data protection laws?
Once GDPR is enforced, the EU data protection rules are going to change quite dramatically. Here’s a list of the main changes you can expect:
- Wider scope: The new data protection laws will not only apply to personal data processing by EU organisations, but also to non-EU organisations that offer goods or services to individuals within the EU, or that monitor the online behaviour of people living in the EU.
- Data breach reporting: Any data breaches are expected to be reported to the relevant authorities without delay, ideally within 72 hours. Breaches must also be reported to the affected individual under situations that risk impairing their rights and freedoms.
- Transparency in accountability and governance: This means demonstrating that your organisation is GDPR-compliant by building data protection into your organisational governance. Examples include keeping a record of your data processing activities (as processors can now be held accountable for any security breaches), ensuring strict agreements between data controllers and processors, and carrying out data protection impact assessments.
- Lawful basis and enhanced rights: Companies will need to declare upfront the lawful basis for data processing, and will need to comply with the enhanced rights of the individuals from whom they collect data, including the right to restrict, right to erasure, and right to object (among others). However, certain circumstances apply for most of these rights.
- Derogations: EU member states will have the chance to apply for derogations (exemptions) to GDPR under certain circumstances, usually to safeguard the individual’s rights and freedoms and for the wider public interest. For example, organisations that are processing personal data for research purposes, such as during clinical trials, may be allowed to be exempt from obtaining the data subject’s consent and may be able to transfer personal data to third parties.
Top tips on ensuring compliance with GDPR
Ahead of these changes, all EU organisations in the life science sector (as well as non-EU life science organisations that have business links to the EU) will need to ensure their compliance to GDPR. This will include assessing and potentially updating the way your company handles and processes personal data.
Here at BioStrata, we’ve been doing our homework to ensure we’ll be compliant. You can read below some of the top tips we’ve found, which may help you prepare between now and May 2018.
1. Get informed: Make sure senior management and key decision makers in all of your organisation’s departments are aware of GDPR and its impending impact on data processing and management. This includes PR and marketing—so you can be protected against any reputational damage should data breaches occur. Reading this blog is a good start!
2. Perform a data audit: Go back to basics and find out exactly how your company handles personal data and manages customer relationships, including uncovering where the data comes from (events, business cards, through your website etc.) and who you share it with (e.g. any non-EU countries).
3. Complete a policy review: Assess your company’s current data protection policies and procedures, and then plan any changes you’ll need to make to ensure compliance, including guaranteeing you are covering individuals’ enhanced rights. Also, remember to review all data controller and data processor contracts to ensure that the appropriate obligations are placed on each party.
5.Get consent: Reviewing how you seek, record, and manage consent will help you spot any changes you will need to make to meet GDPR standards. As GDPR seeks to empower individuals to protect their personal data, you must remember to request time-stamped consent at the point of data collection. This can be as simple as an opt-in statement that the individual ticks when giving you their data.
6. Update security measures: To avoid any data breaches, make sure you are using suitable technical and organisational security measures. For example, 'pseudonymising' personal data by encryption could help you enhance your security measures. Prepare for any data breach procedures so you can notify the relevant authorities without undue delay.
7. Demonstrate accountability: Conduct a privacy impact assessment and update your record-keeping procedures. Appoint a Data Protection Officer (DPO) to benefit from their expert knowledge of GDPR and to maintain compliance. You could reduce costs by appointing an external DPO. However, remember that the DPO must work independently from your company’s data processing activities, and report directly to senior management.
8. Identify and review international data transfers: Check whether any non-EU countries you are transferring data to have an adequate level of data protection, and ensure you are using approved cross-border transfer codes of conduct and certification mechanisms, such as Binding Corporate Rules.
9. Update legacy data stored in your CRM: The Information Commissioner’s Office (ICO) has stated that there will not be a grace period when it comes to GDPR. Therefore, the biggest task many life science companies will face is determining whether contacts in their CRM provided consent, and whether consent was ‘freely given, specific, informed and unambiguous’. This means that you will need to prove that individuals in your CRM actively opted in to be there, and it was clear and concise what they were opting into. Remember, you also need to provide contacts with the opportunity to opt out.
10. Determine what is and what isn’t acceptable: If you have been vague about what individuals were consenting to when they first contacted your company (or worse, they didn’t provide consent when you collected their data), then these contacts may not be valid under GDPR. Consent cannot be a pre-condition, and therefore pre-ticked boxes will be a no-go under the new regulations. If you have used them in the past, then consent given at the time of data collection is no longer valid and you will need to ask permission from these individuals in order to keep contacting them.
11. Be ready to provide evidence for consent: If you are audited (which could happen if someone reports your organisation) you will need to be able to demonstrate how consent was gained. Under GDPR, you will need to show how a contact record was created, what information you provided to that person to tell them how their data will be stored and used, who the data controller was at the point of data collection, and the date and time that the record was created. If you cannot provide evidence for all of these points, you may not be compliant.
12. Assess whether you have legitimate interest: Legitimate interest (LI) is the grey area underpinning many of the rules associated with GDPR. The ICO has provided a handy guide on LI, but essentially consent is only one of the legal grounds for processing under GDPR. It may be that some of your legacy data can be considered under LI and is therefore acceptable for use, but this approach needs careful consideration and should not be reviewed as an alternative to consent.
The life science sector is a data-rich world that will be greatly impacted by GDPR. With the enforcement deadline fast approaching, we are taking steps to ensure that we will be compliant. Understanding GDPR—and assessing and updating your company’s policies and procedures—will not only help you avoid potentially astronomical fines, but will also protect your brand’s reputation.
If you want to find out more about GDPR, its impact on the life science sector, and how to ensure compliance by the deadline, why not get in touch with us today for some key industry insights?
Disclaimer: This blog post is not legal advice for your company to use in complying with EU data privacy laws like GDPR. Instead, it provides background information to help you better understand GDPR. This legal information is not the same as legal advice, where a solicitor applies the law to your specific circumstances, so we insist that you consult a solicitor if you’d like advice on your interpretation of this information or its accuracy. In a nutshell, you may not rely on this as legal advice or as a recommendation of any particular legal understanding.