The European General Data Protection Regulation (GDPR). This 200-page decree guides organizations through responsible and transparent acquisition and handling of consumer data, and grants those consumers more control over how their information is shared and used. Since its recent implementation, the GDPR has garnered both champions and opponents. Those in favor declare the legislation goes the necessary distance to guard consumers’ privacy and personal information in this all-digital world. The opposition, conversely, sites harsh parameters and exorbitant penalties for jeopardizing Euro citizens’ data, such as the four-percent fine of annual global revenue. But can we truly deem the GDPR too restrictive, when new cyber breach stories are rarely missing from the headlines?
Pharma continues to reign as one of cyber criminals’ top-three targets, and number-one for confiscating intellectual property (IP). And every year overall cyber attacks increase globally. In the first quarter of 2018, 210 million attacks were detected, at an increase of 62% over the previous year.1 To that we add pharma and the healthcare industry’s uniquely profound responsibilities: protecting patient data and therein, perhaps even their lives if that data falls into malicious hands.
Expanded clinical trials combined with the advent of online medical record portals, WiFi-based medical device and health monitors, and wearables, have bestowed upon pharma the ability to harvest copious amounts of data. Today they wield this information throughout their entire business eco-system – from marketing to product develop to critical organization decisions. With such significant threats to such vast volumes of data, GDPR compliance seems quite an appropriate, if not imperative, undertaking. But how has GDPR compliance affected pharma?
Pharma on GDPR
- Data Regulated Under GDPR:
- Data Concerning Health-personal data related to the physical or mental health of an individual
- Genetic Data-personal data relating to inherited or acquired genetic characteristics of a person which give unique information about the physiology or the health of that person
- Biometric Data-physical, physiological, or behavioral characteristics of a person, which allow or confirm the unique identification of that person, such as facial images or fingerprint data
- Sensitive Personal Data-includes the three types of data listed above; processing of this data is prohibited unless specific conditions defined in Article 9(2) of the GDPR apply2
- What GDPR Prohibits
GDPR forbids a patient’s data to be processed to expose a person’s race, ethnicity, sex life, or sexual orientation. It also prohibited the use of genetic or biometric data to reveal a patient’s identity. The GDPR use a term to address this: “pseudonymization.” Pseudonymization is defined as: “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.”
- Exemptions to the Restrictions
The GDPR allows for extenuating circumstances where it’s necessary to process certain data. If conditions within Article 9(2) are met, then the data may be processed if:
- the “explicit consent” was acquired from the data subject
- "processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services [...]"
- "processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices [...]"
- Change to Acceptable Consent
No longer will silence, inactivity, or pre-selected boxes be acceptable as assumed consent. Though there is no specific definition for “explicit consent” within the GDPR, it’s suggested that consent should be extracted by separate, deliberate actions that distinctly express the organization’s intent of usage. Additionally, consent must be acquired for each individual circumstance, procedure, and or interaction, and it must be easily withdrawn upon patient request.
- Usage Legitimacy
Under the GDPR, pharma companies will no longer be able to gather and harvest patient data “in hopes” of eventual use. They must clearly declare unique reasons for obtaining and holding individuals’ data. An organization will be able to sequestered data indefinitely that they cannot prove to be relevant to their current business, though there are margins where its admissible with consent or a proven legal or public interest.
- Exception to Erasure
The right-to-be-forgotten, to have one’s information erased was a new introduction with the GDPR. However, in the case of clinical trials, where data has already been collected, in use, and perhaps needed to further conduct research relating to the trial, may not be covered under the erasure mandate. But such exception must be clearly stated within the originally consent.
Privacy and patient data must become a mandatory business model for pharma. For those who have practiced diligence in data security, the step up to GDPR compliance was small. But for those who operated with greater leeway, they may still be working to reach GDPR heights of privacy and protection. But it must be achieved, their patients depend on it…and their patients are their business.
1. ThreatMatrix Cybercrime Report, Q1 2018, ThreatMatrix, 2018
2. GDPR Industry Focus: Impact of GDPR on Healthcare, Pharma, and PHI, Logicgate, 2018
For more great industry insights, check out our free whitepaper:
Written by Angie Longacre
As a writer for Assurance Software, Angie devotes her craft to promoting business continuity and disaster recovery awareness, and trumpeting Assurance Software’s invaluable benefits for both. When she’s not commanding the keyboard, you can find her outside for a run, searching for her next antique treasure, or lost in a good book.