The recent introduction of stringent data regulation and the hardening of attitudes to data privacy globally is having a significant impact on the pharmaceutical sector. Following the implementation of the General Data and Protection (GDPR) Act, which recently came into effect in the European Union (EU) on 25 May 2018, all organisations are having to ensure they are fully compliant, or risk large fines. For Pharmaceutical companies, which typically hold large amounts of personal data, non-compliance also risks huge reputational damage, so ensuring they have implemented ‘best practice’ data protection systems is an imperative.
Up until now, businesses have operated on an ‘implied’ consent model when it comes to data. However, the introduction of GDPR means that businesses are now having to seek explicit consent – even for data that they already hold. Furthermore, a change under GDPR that has a significant impact on the healthcare sector is data breach reporting. At a time when the sophistication and audacity of cyber-attacks is increasing, under the new regulations, data breaches must be reported within 72 hours to both the regulator and to those who have been affected by the breach. Considering the size and scale of personal data held by pharmaceutical companies; from employee and consumer data to that of suppliers and clinical trial participants, the potential fallout for failing to comply with these regulations is substantial. The most serious cases of non-compliance will incur fines of up to 4% of annual global revenue or €20 million ($23.9 million), whichever is greater.
Recognising this, it is essential that pharmaceutical companies have robust plans in place to meet GDPR. This should include the development of Data Protection Impact Assessments (DPIAs) which provide a structured assessment of the risks and protections in place. Pharma companies must comply with their data protection obligations and meet individuals’ expectations of privacy. This includes diligent management of suppliers through Data Processing Agreements (DPA) that specify procedures and controls in place. Effective DPIAs and DPAs enable organisations to provide the governance required, identify issues early and fix key issues in a timely manner.
Pharmaceutical companies should also be implementing fully compliant data management tools that facilitate hosting in GxP cloud infrastructure and are designed with stringent restrictions regarding data access, full record of data access logs, regular data backups, off-site back-up storage and full encryption of all data at rest or in transit. Security Information and Event Management (SIEM) solutions should also be implemented to enable organisations to monitor and respond to threats in real time.
To help pharmaceutical companies respond to GDPR and all data regulation, we have developed Reportum, a leading pharmacovigilance solution. Entirely cloud-based, Reportum is a fully secure, multi-platform safety data capture tool which enables the standardised capture of adverse event and complaint data at source. Reportum also provides the facility to include attachments (e.g. medical, pathology or radiology reports).
Reportum clients can be fully assured that the system is compliant with major data legislation and vastly limits any impact of a cyber-attack. Security and privacy are incorporated by design with security patching continuously upgraded as new vulnerabilities are identified. Recognising the imperative of minimising the personal identifiers that are included in any data transfers, Reportum includes redaction a core component. Services like Reportum add both an extra element of security, while providing a platform that ensures clients’ data privacy practices are fully aligned and fall within with the regulations laid out by the EU and other jurisdictions.