GDPR, or the General Data Protection Regulation, has become a critical priority for Pharmaceutical and Medical Device companies as the mandatory deadline for compliance of May 25, 2018 is upon us. GDPR was launched in May 2016 with a two-year transition period, replacing the previous directive which was issued back in 1995. This new regulation strengthens data protection and privacy for consumers, and its impact should not be underestimated. In fact, according to a recent report from Ovum, a global analyst firm, approximately two-thirds of businesses expect to change their global business strategy as a result of the new data privacy requirements. The types of data covered include, for example, name, address, racial/ethnic data, biometric data, health and genetic data, political opinions, sexual orientation, and web data. The changes are very significant, and while many industries will be affected, the impact on Life Science companies will be particularly strong due primarily to the large volume of sensitive data that is handled within the context of clinical trials. Here are 3 of the more noteworthy elements of the GDPR:
1) Expanded Geographic Scope - This is perhaps the most impactful change within the GDPR. Under the previous directive, companies located outside of the EU were not impacted by the data protection requirements except under circumstances where such companies utilized equipment within the EU to process personal data. Now, the data protection requirements will also apply to all non-EU based organizations processing personal data of individuals residing in the EU, as long as such organizations offer goods or services to individuals in the EU or monitor the behavior of data subjects within the EU. Consequently, many U.S. companies previously out of scope, will now feel the brunt of this change. Specifically, according to a PwC survey conducted in December 2016, almost 80% of U.S. companies surveyed anticipate spending at least $1 million to meet GDPR requirements, and approximately 10% project spending over $10 million.
2) New Consent Stipulations - Companies in the Life Science industry often utilize consents from individuals to support the collection and use of sensitive data. The GDPR requires consents to be written in plain and clear language, with the ability to withdraw consent being as easy as the ability to provide it. The days of long, complicated consents filled with "legalize" are over. A new definition of "consent" is provided, and there is now a renewed onus on the organization to clearly demonstrate that the consent provided is unambiguous and distinguishable from other matters. It is expected that many consent formats and types permissible in the past will no longer be accepted. As such, it is vital for organizations to diligently reassess their processes and language with respect to such consents.
3) Stronger Data Subject Rights - The GDPR modifies several elements of data subject rights, such as notification timelines, data access rights, and "data erasure". Specifically, where a data breach is deemed "likely to result in risk for the rights and freedoms of individuals", notification to the pertinent individuals must take place within 72 hours of awareness. Further, subjects will experience improved access with the ability to obtain confirmation as to whether their data is being processed and specifically how and why the data is being used. Subjects can obtain their personal data in electronic format, at no cost. Lastly, under certain conditions described in Article 17 of the GDPR, individuals can have their personal data erased and no longer processed or disseminated.
If companies have not yet commenced activities to address the GDPR, the time is now with the deadline only a few months away. Companies need to identify the gaps and determine the action steps and resources needed to update processes and systems to achieve compliance. While three of the key provisions are covered above, there are many other important changes that need to be addressed in the near-term. Data discovery, privacy policies, information security enhancement, and third-party risk management represent some of the notable focus areas. The GDPR has also increased the penalties associated with non-compliance with data protection rights, and therefore the consequences of falling short with this initiative can be drastic, including fines, sanctions, legal action from data subjects, and reputational damage. The GDPR is dense and voluminous, and it will take substantial time, effort, and resources to get your arms around it and complete the necessary activities to ensure compliance.
