Elizabeth Kilburn, associate at ProDPO discusses what pharmaceutical companies need to do to ensure they comply with data protection regulations.
Two years on from the introduction of the General Data Protection Regulation (GDPR), and the Information Commissioner Office (ICO) is continuing to fine companies who don’t adequately protect their data. Instances within the pharmaceutical industry include companies being fined for failing to secure the security of special category personal data, demonstrating that compliance is still essential.
Why pharmaceutical companies need to think about data protection?
All pharmaceutical companies hold personal data about individuals. It’s easily recognised that companies which deal with the public, engage in medical research or undertake clinical trials, will process greater amounts of personal data. However, companies which deal only with the non-public facing side of the industry also process personal data; such as those of their staff, costumes and suppliers, and need to ensure they’re compliant.
The processing of personal data is heavily regulated and, since the GDPR came into force, individuals have become more aware of their rights over their data. In addition, data protection regulators have become increasingly active, with the UK data protection authority, the ICO, being one of the most active regulators in Europe. Even without fines, there is a reputationally damaging element of a regulatory enforcement action which, in many respects, is unquantifiable from a costs’ perspective.
Establishing a lawful basis
Before companies process personal data, they must establish a lawful basis to undertake such processing. Pharma companies whose most significant processing activities relate to their staff will not usually have trouble in establishing a lawful basis. The processing is generally necessary for performing the employment contract with that staff member.
However, pharma companies which process special categories of data, through research and clinical trials etc., must establish a separate lawful basis to process this type of data.
The GDPR has established a number of lawful bases, however careful analysis must be undertaken to ensure the organisation is relying on the correct lawful basis. In addition, local legislation may need to be considered, whether this be local data protection law, such as the UK Data Protection Act 2018, or laws or regulations applicable only to the pharmaceutical industry.
Why is data protection especially significant for the pharmaceutical industry?
The pharmaceutical industry covers a myriad of different types of organisations which each have their own distinctive data protection considerations.
For example, companies undertaking medical research are a fundamental part of the pharmaceutical industry. Whilst medical research companies may be able to establish a lawful basis for processing health data, such companies should also consider whether they need to process identifiable data, or whether anonymous data can be used. The advantage of anonymised data is that, provided it is truly anonymous and does not directly or indirectly identify a living person, it will not be subject to the GDPR.
Conversely, companies undertaking clinical trials are, on the whole, not able to consider anonymising data. Such companies must consider the requirement for informed consent under the Clinical Trials Regulation (CTR) and how this interacts with consent under the GDPR. The European Data Protection Board (EDPB), the pan-European data protection advisory board, published an opinion which clarified that ‘informed consent’ under the CTR is different to ‘explicit consent’ under the GDPR. The EDPB went on to warn that relying on explicit consent to process health data for clinical trials may be difficult, due to the imbalance of power between the sponsor/investigator and the participants. Assessment of other available legal bases is therefore required.
Therefore, here are a number of issues which are key to ensuring compliance.
- The requirement to appoint a data protection officer. The GDPR requires companies which process large amounts of special categories of personal data to appoint a data protection officer. This can either mean recruiting a new employee, or appointing an outsourced data protection officer. The options will depend upon experience, levels of complexity or perceived risk and resource availability.
- How to respond and effectively deal with subject access requests. One effect of the GDPR has been to significantly increase individuals’ awareness of their rights over their personal data. Not only are these individuals increasingly utilising their rights, and in particular the right of access, but companies have been established to serve hundreds, if not thousands, of subject access requests on controllers. Pharmaceutical companies need processes that allow these requests to be dealt with in an efficient way.
- Ensuring contracts with service providers have sufficient protections in place to protect personal data processed, particularly where any special category data is processed on behalf of the pharma company. The GDPR requires controllers to implement a written contract with their processors. These cannot be contested by processors, however apportioning liability for risks involved with data processing is heavily argued, with many controllers seeking uncapped indemnities for data protection breaches.
- To the extent pharma companies process special categories of personal data, the risk of suffering a data breach becomes more significant. Companies need to ensure they have stress-tested their processes to identify any weaknesses and be able to react to a data breach immediately.
- Data transfers. Operators in the pharma industry are often multinational companies with a presence in a number of jurisdictions. This means that personal data is often transferred around the world, which adds an extra layer of complexity to data protection considerations. This issue is likely to only become more complex with the Brexit transitional period coming to an end at the end of this year.
Whilst many pharma companies completed their ‘GDPR-readiness’ projects two years ago, it is clear that the pharmaceutical industry has its own unique complexities which mean data protection considerations may not have been fully tackled yet. In addition, the GDPR requires constant evaluation and monitoring of personal data processing activities, and therefore no company can ever really say it is ‘100% compliant’. It is imperative that organisations document their steps and decisions made with respect to personal data, to evidence the fact that data protection compliance is an ongoing, important consideration.