With the beginning of summer next year, not only temperatures will rise, but possibly also temperaments, as the European Union’s new data protection law takes effect. The highly tightened measures to protect personal data will mean that companies worldwide have a lot of adjusting to do.
Like most new regulations, the General Data Protection Regulation (GDPR) requires preparation, especially in light of the extensive penalties for those who do not manage their privacy compliance properly. Additionally, non-compliance and problems with data protection severely increase the risk of tainting a company’s image.
As a result, those companies who prepare early and adjust their data protection regulations according to GDPR standards, will not only maintain their image, but in the long run will also dominate the market.
How is the life sciences sector impacted?
Of all industries, the GDPR will impact the life sciences especially hard. Why? Most companies in the life sciences industry, including biotech, pharma, medtech, CROs and suppliers, handle patient information such as health and genetic data, which is considered highly sensitive. The GDPR states that the collection of data from and for clinical trials, for instance, presents an increased risk to the freedoms and rights of natural persons.
What’s more is that the impact of the GDPR is transverse, meaning that it will influence many sectors in the life sciences from R&D (with clinical trials) to marketing, human resources and production. And not only will patient data have to be protected differently, the personal data of a company’s employees are also subjected to the GDPR.
What to consider in wake of the GDPR
Now you may be wondering whether your company will be affected. “Well, if you are a company handling personal data then there are a few points to consider,” explains Gautier Sobczak, Co-Founder and Head of Business Development at MyData-TRUST.
“Firstly, if your company employs over 250 people then you have to comply with the GDPR. Although a smaller company may be regarded as less of a risk to its clients, the collected data still has to be handled with utmost care, especially if the data processing activities are likely to result in a high risk to the rights and freedoms of the data subjects.”
Secondly, Gautier points out that technologies which are used to manage and store personal data are defined as risky, because the processing of data can be subject to cyberattacks. Here, cybersecurity has to be a top priority for companies.
But what do you have to know and how should you act as a business in wake of the looming changes in data privacy law? MyData-TRUST is a company that focuses on answering these questions and helps others to find their way through the labyrinth of new rules and regulations.
Following the top-list-of-actions
MyData-TRUST has created a top-list-of-actions as a preparation for companies confronted with the GDPR. Here they are:
Firstly, when preparing for the GDPR a company should work hard on improving communication about its data collection process. Secondly, new tools and processes have to be implemented, which will allow subjects to exercise their rights. And lastly, a company should gain a better understanding of its data processing activities. This can be achieved by creating and maintaining a data processing register.
The new regulations give more rights to data subjects, which is basically every person whose personal data has been collected. “Every employee, every patient now potentially has the right to access and collect their data,” explains Xavier Gobert, co-founder and Executive Director of MyData-TRUST. “Companies now have to record data processing activities, increase protection and nominate data protection officers.”
The independent data protection officer (DPO) is thought to become a nominated point of contact between a company and the EU’s data protection authorities. Companies will have to ‘make room’ for this newly appointed employee, who will be a company’s representative of GDPR compliance, and will oversee the collection and handling of personal data.
“A DPO should have extensive knowledge of the GDPR’s legal processes, but he must also understand the procedures of information processing and the nature of the data,” explains Xavier.
“The DPO must have a clear overview of IT systems and infrastructure, as well as being able to communicate data protection issues to the top management and explain the GDPR background to companies’ teams. It’s a completely new role with a unique mix of skills and knowledge.”
So many rights
Implementing novel processes and tools to allow subjects to exercise their rights, is an important part of the GDPR. In complicated law-language the rights in question are called the right of access and the right of portability. While the first right enables individuals to access their data and decide upon how it is processed, the latter allows subjects to obtain a copy of their personal data.
“It is extremely important to keep data privacy in mind from the beginning of each process,” Gautier explains. “GDPR compliancy is not only expected from a company in May 2018, but data protection regulations should be put into place and stay active from that point onwards.”
What is the difference between pseudonymized and anonymized data?
This comment takes us to the third point on My-Data Trust’s top-list-of-actions: having a better control and understanding of data processing activities. For instance, did you know that there is a difference between pseudonymized and anonymized data?
No? Well, for the GDPR it’s extremely important. “Many companies think that their data is anonymized, but in reality it’s pseudonymized,” clarifies Xavier.
Pseudonymized data is, for example, a name that has been replaced with a label. However, many studies show that only 8 parameters, including a person’s sex, location, age, or medical history are enough to identify a subject to 99%.
The GDPR, therefore, requires personal data to be anonymized instead. Here, one pseudonym is given to not only one person, but to a group of patients making the identification of an individual impossible.
Making things even more complicated
To add to the complexity of the new regulations, companies must still comply with their current local data protection laws, as well as prepare for GDPR compliancy. “In future, data privacy will be a part of any data processing activities from the beginning with the concept of ‘privacy by design and by default’,” concludes Gautier.
He tells us that the majority of companies have no understanding of the GDPR and the urgency with which the new regulations should be implemented. Although EU authorities will probably allow a short lenience period, companies should take the new data protection law lightly, especially considering the looming penalties imposed on non-compliant businesses.
Fines can reach up to €20 million or 4% of a company’s global revenues. A horrendous amount of money, which basically forces businesses to comply to the EU’s GDPR. In May 2018, companies will have to be able to show authorities that actions have been taken to change existing data protection regulations and adjust them to the GDPR.
Finding the right advisor
With time being extremely short and these enormous fines breathing down companies’ necks, there is only one way to reach GDPR compliancy: On the fast track, with an experienced advisor at the company’s side. An advisor, moreover, who can direct a company through all legal and business aspects of GDPR compliancy.
MyData-TRUST is one such advisor. It is unique in combining the knowledge of the GDPR with life sciences expertise. Its team includes experts with IT, business, legal and life sciences (such as clinical trials and production) backgrounds, and provides solutions and services to help companies to gain a foothold in wake of the GDPR.
MyData-TRUST organizes on-site workshops and seminars to train a company’s employees on the new data protection regulations. They also do external analyses of a company’s data processing activities. The team searches for gaps and problems in existing processes and tests the cybersecurity of their clients’ systems.
“However complicated the GDPR may seem, its rules and regulations are good practice for data protection,” says Xavier. “Also, try to consider that the GDPR can be positive for your business. The GDPR will help organizations to create and maintain data hygiene. In future compliant businesses will dominate the market.”
Are you insecure about the EU’s new data protection regulations? Visit MyData-TRUST and learn how to become GDPR compliant!
Images via kb-photodesign, Hadrian, Khakimullin Aleksandr, StunningArt, suns07butterfly, vs148, Kris Tan, Nata-Lia, Photon photo, jijomathaidesigners/Shutterstock