The General Data Protection Regulation (GDPR) came into effect on May 25, 2018, with its objectives being to reshape the relationship between organizations and individuals, reform the approach to how businesses handle personal data and to rehabilitate (sanction) organizations which fail to comply.
The run-up to May 25, 2018, maybe neatly summarized as a period of sheer panic as companies realized the mountain they needed to climb towards compliance. As we pass the six month anniversary of the GDPR effective date, the number of organizations that boast 100% GDPR compliance has certainly increased (along with the number of self-granted “GDPR compliant” website banners). However, the reality is that life sciences organizations are still grappling with the implementation of the policy and procedure changes made necessary by the GDPR.
Key observations since the GDPR effective date
Attitude and understanding. The life sciences sector is no stranger to complex regulatory frameworks. Therefore, those operating in the sector should – in theory – have already been equipped better than most with the tools to adopt and implement the GDPR. The sector is already ingrained with a strong culture of evidencing compliance with data privacy, and a familiarity with such concepts as a high threshold of consent. Even at the start-up stage, and particularly in the expanding area of digital health, there is a willingness to invest scarce resources in data protection compliance and an awareness of the importance of building privacy into every aspect of their business (privacy by design).
The attitude towards the GDPR from life sciences organizations is seemingly positive in the main, and overall awareness levels are high. However, the level of understanding of exactly how the GDPR will impact activity within the life sciences sector still varies considerably, particularly within life sciences organizations that operate in the EU but are headquartered overseas.
Where a company processes personal data in relation to the offering of goods or services to individuals in the EU or monitors the behavior of individuals in the EU, they will need to comply with the GDPR. Awareness and knowledge are still lacking in terms of what is required of non-EU organizations which are caught by this extra-territorial scope of the GDPR. The US secretary of commerce has voiced concerns about the uncertainty around GDPR, stating: “GDPR creates serious, unclear legal obligations for both private and public sector entities, including the US government. We do not have a clear understanding of what is required to comply. That could disrupt transatlantic co-operation on financial regulation, medical research, emergency management coordination, and important commerce.”
A key contributor to this uncertainty in the life sciences sector is the failing of the GDPR to fulfill one of its main objectives of harmonizing data protection regulation across all Member States. The GDPR provides a fair degree of autonomy for each Member State to implement derogations or exemptions in respect of “scientific research purposes” (which notably is undefined in the GDPR). For example, Member States can derogate from the GDPR position in respect of a data subject’s rights to access, rectify or restrict processing of their personal data, to the extent it is likely to render impossible or seriously impair the achievement of the specific research purpose, and such derogations are necessary for the fulfillment of those purposes.
As such, life sciences organizations still need to look closely at a Member State level for further guidance, such as the French Data Protection Authority’s publication of guidelines on methodology for clinical trials issued in July 2018. This not only makes the GDPR more cumbersome for life sciences organizations to navigate but also makes measuring compliance more difficult.
Implementation phase. The starting point for every life sciences organization when preparing for the arrival of the GDPR was (or should have been) to carry out detailed data audits to understand data flows within the organization and the purpose for such processing. This process resulted in the generation of a lot of documentation, privacy notices, impact assessments, data matrices etc., courtesy of the fairly prescriptive information and internal recording requirements of the GDPR.
Most life sciences companies are now (or should be) well into the implementation and tweaking phase. Without doubt, there are some areas where what is required in theory does not sit comfortably with the effort which is required in practice to achieve this. There is a clear pattern of areas which appear to be weak spots generally for all organizations, most notably:
• implementing clear, coherent and manageable data retention policies;
• implementing procedures to deal with data breaches and responding to the ICO within the mandatory 72 hours;
• implementing lawful (and certain) mechanisms for international transfers of personal data; and
• automating procedures to handle data subject requests (which currently requires a disproportionate amount of manual effort).
Governance and privacy champions
Governance is a key tenet of the GDPR and for most life sciences companies, an independent data processing officer (DPO) will be a necessity in light of exceeding the threshold of processing special categories of personal data on a large scale as a core activity (which practically means hiring another body or at least a change in a job role to address this need). The key to successful implementation seemingly lies in having the correct governance in place, with privacy champions in every key area of the business. Life sciences organizations that have managed to empower privacy champions across the business are seemingly able to identify (and overcome) areas of weakness much more efficiently. Those organizations that are steering solely from a central function (such as legal or compliance) have a much more difficult challenge of making the theory now fit with practical implementation.
A large amount of effort has been spent on developing GDPR compliant data processing addendums (and perhaps an even greater degree of effort debating which contractual party gets to use their own data processing addendum). There is now a higher degree of scrutiny over such data processing addendums and underlying supporting documentation. One of the most obvious areas of focus is liability. Requests for broader indemnities and larger liability caps are commonplace and the industry is struggling to land on a market approach. No doubt the increased sanctions are steering these discussions; however, unrealistic requests in respect of liability taint the main aims of the contractual process, which are for the parties to secure sufficient guarantees and commitments, and to ensure adequate due diligence of technical and organizational measures.
100% compliance (if at all achievable) is certainly still a way off for the life sciences sector, particularly given that some key phrases and derogations still need to be fleshed out in guidance from Member States. However, the positive attitude and willingness to comply with the GDPR requirements, supported by stronger governance, is a noticeable trend over the last six months which is providing organizations with a strong internal framework to drive compliance.