Data protection and privacy is not a new subject for the pharmaceutical industry, however the new piece of European legislation might require businesses to re-adapt the way they think about it. The General Data Protection Regulation (GDPR) is the result of four years of work done by the European Union parliament and it has specific requirements regarding the way in which data is captured, processed, stored and transferred.
One important thing to understand is that any piece of data that can identify someone as a natural person, goes under the definition of personal information and is subject to this regulation.
Companies that fail to meet the requirements are subject to heavy fines , that can go up to 4% of their annual global turnover, or 20 million euros, depending on whichever is greater.
Understanding data subject rights
- The right to access – the data subject is entitled to request and to be provided with all the personal data that a company has about them, in a format that is user-friendly.
- The right to rectification – the data subject needs to be provided with the opportunity to correct any wrong personal data that a company has about them.
- The right to be forgotten – this is essentially the right to have all the personal data, that a company has about them, deleted.
- The right to notification – if a company updates, deletes or stops processing data about an individual, they will need to notify any other company or entity that they may have shared this data with, so that they can follow the same action path.
- Right to portability – this means that a data subject can request a company to provide their personal data to another organization on their behalf.
- The right to human intervention – this implies that any decisions that may have a significant impact on a data subject must be reviewed by a human, and cannot be left at the discretion of an automated mechanism or technology.
Moving from implied consent to explicit consent
If you are still struggling to understand the implications of the regulation, the webinar produced by BetterCloud, is a step by step guide to the fundamentals of GDPR. It covers the key concepts that a business (from an IT perspective) needs to know, what these new regulations mean for them, and what their next steps should be.
NOTE – this is not to be used in place of legal advice. It is highly recommend that you work with your own legal counsel to understand your risks and put together your action plan.