With $477 million in fines levied in 2019 for violating GDPR regulations, it’s clear that medical device manufacturers and other life sciences companies must implement and maintain a sustainable compliance program.
In 2018, the European Union (EU) enacted General Data Protection Regulation (GDPR), arguably the strongest data protection regulation in the world. Now we’re beginning to see the impact — in 2019, the EU charged companies more than $477 million in fines for violating GDPR regulations.
While this regulation may seem to focus only on Europe and its citizens, the overall outreach and impact of this legislation is felt throughout the world, especially for organizations that offer goods and services in Europe regardless of nationality or country of origin. Companies that infringe on GDPR rights may owe compensation to data subjects for material or non-material damage as a result of a GDPR infringement, in addition to the administrative fines.
Compliance strategy is critical
For pharmaceutical and medical device manufacturers that operate in Europe, it’s imperative to implement and maintain a sustainable GDPR program. Ideally, you’ve already begun the process, as it has immense scope and may take several years to complete, depending on your company’s existing processes for handling personal information.
To be successful, you should build your compliance framework around data subjects’ rights as they are outlined in the GDPR mandate especially as they relate to the collection and implantation of data collection processes. The data controller and data processor have crucial responsibilities and obligations in the context of the new regulation. Be clear on your practices for data protection, which pertains to the protection of unauthorized access to the data (i.e. technology), whereas data privacy pertains to the legal domain, which would be GDPR or the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada, for instance.
Risk assessment, quality assurance and auditing will play an important role in the set-up and ongoing implementation of your privacy and data protection programs. Remember that GDPR is a shared responsibility across the organization, so make sure that you:
Know the terminology
It is important to understand some of the key terms and concepts used in the legislation:
Personal data is a broad term for information related to an individual or “data subject,” that can be used to directly or indirectly identify the person. Examples include a person's name, address or financial information. Related: PI = personal Information; PII = personally Identifiable Information
Biometric data is personal data resulting from specific technical processing relating to a person’s physical, physiological or behavioral characteristics, which allow or confirm the unique identification of that person, such as facial images or fingerprint data.
Data controller is a legal entity that determines solely or jointly with others the purpose for which any personal data is to be processed and the way in which it is to be processed.
Data processor is a third party with specific responsibilities as defined by the GDPR. They process data on behalf of the data controller and include IT service providers and other types of vendors that process data.
Data processing is an automated or manual action performed on personal data, such as collection, organization or recording. For processing of personal data to be lawful under the GDPR, businesses must identify a lawful basis for this action.
Consent is a concept that is fundamental to EU data protection law. In general, this informing a data subject and the necessity of obtaining permission from the data subject for the collection and processing of personal data.
Data protection authority (DPA) is a national authority in each country that is responsible for the protection of data and privacy as well as implementing and enforcing data protection law. France has the Commission Nationale de l'Informatique et Des Libertés (CNIL) and Germany has the Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfD) for instance.
Data protection officer (DPO) is someone given formal responsibility for data protection compliance within a business. The primary role of the DPO is to ensure that his/her organization processes the personal data of its staff, customers, providers or any other individuals (also referred to as data subjects) in compliance with the applicable data protection rules. Some, but not all organizations are required to appoint a DPO.
Binding corporate rules (BCRs) are data protection policies adhered to by companies established in the EU for transfers of personal data outside the EU within a group of undertakings or enterprises. Such rules must include all general data protection principles and enforceable rights to ensure appropriate safeguards for data transfers. They must be legally binding and enforced by every member of the group.
Cross-border processing is the processing of personal data when the controller or processor is established in more than one member state, and the data processing takes place in more than one member state, or processing activities that take place in a single establishment in the EU, but that affects data subjects from more than one member state.
Record of processing activities (RoPA) is an obligation to maintain written documentation and an overview of the procedures by which personal data are processed and used. Records of processing activities must include significant information about data processing, including data categories, the group of data subjects, the purpose of the processing and the data recipients. This must be made available to authorities upon request.
Data protection impact assessment (DPIA) is required under the GDPR any time you begin a new project that is likely to involve “a high risk” to other people’s personal information. The DPIA, a new GDPR requirement as part of the “protection by design” principle, is required for the following:
Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. In the case of a personal data breach, the organization must report the personal data breach to the supervisory authority unless the personal data breach is unlikely to result in a risk to people’s rights and freedoms. When the notification to the supervisory authority is not made within 72 hours, it requires an explanation for the delay.
Understanding the rights of individuals
The eight rights consumers have relating to their personal data is viewed by many as one of the key objectives of the new regulations. The data subject, through these rights, can make a specific request and be assured that their personal data is not being unduly collected, shared and or misused for anything other than the legitimate purpose for which it was originally provided. The rights are listed below:
1. Right to be informed specifies that companies and organizations need to inform individuals what data is being collected, how it is being used, how long it will be kept and whether it will be shared with any other parties. This information must be communicated concisely, using plain language and prior to collecting data.
2. Right of access says that individuals can submit subject access requests, which obligates organizations to provide a copy of any personal data they hold concerning that individual. This right provides the data subject with the ability to get access to his or her personal data that is being processed, including obtaining copies. Companies may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
3. Right to rectification allows the data subject to ask for modifications to his or her personal data in case the data subject believes that this personal data is not up to date or accurate.
4. Right to be forgotten is also known as “right to erasure,” allowing the data subject to ask for the deletion (erasure) of their data. It is important to note that this is not an absolute right. There are other dependencies that may be involved such as the company’s retention schedule/period and requirements from other applicable laws and regulations.
5. Right to restrict processing means that data subjects can request that the organization limit the way it uses his/her personal data (this may serve as an alternative to requesting the erasure of data, and might be used when an individual contests the accuracy of their personal data or when they no longer need the information but the company requires it to establish, exercise or defend a legal claim).
6. Right to data portability ensures the data subject has the ability to ask for transfer of his or her personal data. As part of such request, the data subject may ask for his or her personal data to be provided back (to him or her) or transferred to another data controller. The data transfer shall be provided in a commonly used electronic format.
7. Right to object says that data subject has the right to object, at any time, to the processing of personal data that is collected on the grounds of legitimate interests or the performance of a task in the interest/exercise of official authority. The data controller can no longer process the personal data unless the data controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.
8. Rights in relation to automated decision making and profiling offer provisions for decisions made with no human involvement, such as profiling, which uses personal data to make calculated assumptions about individuals. Data subjects have the ability to object to a decision based on automated processing. As an example, using this right, a customer may ask for his or her request to be reviewed manually if he/she feels that there are extenuating circumstances that may require human intervention in the decision-making process.
Almost every aspect of consumer life revolves around data, including smartphones, credit and debit cards, digital identity, social media and government identification; essentially every good and service used involves the collection and analysis of personal data.
Digital data is the future and with the volume of data being collected and stored, data breaches become inevitable. GDPR is designed to reflect the world we are living in now.
We need to incorporate laws on personal data, privacy and consent into the present and plan for the future. After all, technological innovation is not static, which is evident from the growing data protection industry. As an example, in the United States, 14 states have pending bills to strengthen privacy protection for their residents and we should expect this trend to continue globally. Companies must be able to plan for it to be resilient in business.
Want to know more about GDPR adherence? Contact EASi now.