Global Implications of the GDPR:

What You Should Know About the Impending Regulations in 2017

The General Data Protection Regulation (GDPR), now nearly one year away from its May 25, 2018 implementation deadline, is having a drastic impact on the pharmaceutical industry. The new European regulations will soon be applied on a global scale. Integrating these compliance measures into business, research and development, and clinical testing procedures rests heavily on information security and technology teams. By mid-2018, information security (IS) and information technology (IT) teams will be working to avoid attacks, breaches, and enormous regulation fines. So, what should companies know about preparing for, and working under, the GDPR?

Big Data, Big Privacy Concerns

Consumer rights in drug trials, testing, and information compilation have never been clearer than within the GDPR. Individuals will be able to dictate the future of their data starting in mid-2018. This means that a specific consumer has the right to decide for themselves whether or not a company can use their information, following participation in a trial or the use of a drug therapy. By limiting the industry’s reach on data usage, the law hopes to reduce the amount of patient profiles stolen during a data breach.

This law is also attempting to limit the kind of data that could possibly be stolen. Indications of identity based on life science data is an important driving force behind the new regulations. The impact of identifying individuals from data may lead to compliance risks and noncompliant fees. Due to this, many companies are opting to de-identify their data, stripping information from the files as to retain the smallest and most important amounts of information. This may lead to limited research availability for disease conditions, post-GDPR implementation.

The purpose of the data is now as important as the data itself. The GDPR explicitly states a “purpose limitation,” meaning that the purpose of stored data must be clear, concise, and consented to by the individual from whom the information is collected. Without these, the information is beyond the purpose limitation and is not compliant for use or storage.

The Price of Compliance

While the GDPR is enabling a broader discussion of data rights and information security, the transition to a new regulation is costing both European and American life science companies. In a December 2016 PwC survey, 77% of corporations will be spending at least $1 million on compliance preparations. This investment is small in comparison to potential compliance fines in the case of data breaches post-GDPR implementation. Fines could match or exceed €20 million, or 4% of a company’s annual gross income.

The threat of large fines is forcing companies to spend more on compliance-related preparations. Some estimates of fines and costs associated with GDPR projects may reach millions of dollars for larger companies, and hundreds of thousands for smaller firms with primary business in the European Union. I addition to these fines, companies must consider the cost of regulation preparations. Staffing, hours, and resources many need to be increased and could strain unprepared budgets.

Even with costs associated, the GDPR means less data breach, less compliance risk, and better protected information for the life science industry. In comparison to data hacking and attacks in recent years, many businesses can look forward to safer information.

Sticking to the Rules

There is no doubt that Brexit has shaken the European Union, but after the country’s referendum, many businesses were unsure about their adherence to the GDPR. Earlier this year, however, the United Kingdom confirmed that it would keep many European laws, including the GDPR, for at least one year. No details have been shared about life science data protection following this period.

Likewise, American multinational companies are still in the process of GDPR preparations. Spending millions, these companies are hoping to easily combine GDPR regulation with American data regulations to remain compliant and protect against data attacks and hefty fines. The new laws are expected to have a greater impact on business processes and information technology/security than any data regulation predecessor.

The new regulations are having an impact on technological advancements in IT and IS departments as well. Cloud services and system vendors are now also subject to GDPR when working directly with multinational life science businesses. This is expanding the GDPR’s scope, and ensuring that data privacy concerns and rights are addressed both in life science research and testing as well as vendor relations.

Stolen data poses both compliance and ethical issues within the life science industry. To combat this, the European Union released a set of regulations in late 2015 which outline the specifics of data protection laws aimed at reducing data breaches and increasing data accountability. To learn more about the GDPR and integrating these regulations into regular IS and IT procedures, check out Q1 Production’s latest cyber security events here.