One week left … GDPR is coming!

Data protection and privacy is not a new subject for the pharmaceutical industry, however the new piece of European legislation might require businesses to re-adapt the way they think about it. The General Data Protection Regulation (GDPR) is the result of four years of work done by the European Union parliament and it has specific requirements regarding the way in which data is captured, processed, stored and transferred. 

One important thing to understand is that any piece of data that can identify someone as a natural person, goes under the definition of personal information and is subject to this regulation. 

Companies that fail to meet the requirements are subject to heavy fines , that can go up to 4% of their annual global turnover, or 20 million euros, depending on whichever is greater. 

Understanding data subject rights

  1. The right to access – the data subject is entitled to request and to be provided with all the personal data that a company has about them, in a format that is user-friendly. 
  2. The right to rectification –  the data subject needs to be provided with the opportunity to correct any wrong personal data that a company has about them.
  3. The right to be forgotten – this is essentially the right to have all the personal data, that a company has about them, deleted. 
  4. The right to notification – if a company updates, deletes or stops processing data about an individual, they will need to notify any other company or entity that they may have shared this data with, so that they can follow the same action path. 
  5. Right to portability  this means that a data subject can request a company to provide their personal data to another organization on their behalf.
  6. The right to human intervention – this implies that any decisions that may have a significant impact on a data subject must be reviewed by a human, and cannot be left at the discretion of an automated mechanism or technology. 

Moving from implied consent to explicit consent

In order to comply with the GDPR, companies must seek, obtain, and record explicit consent about any intended action that involves an individual’s personal data. This represents the end of the era where privacy policies and terms of use were stipulated at the bottom of a website page and the sole action of accessing that webpage meant that you are giving consent for your personal data to be stored and processed, however the company that collects it sees fit. 

If you are still struggling to understand the implications of the regulation, the webinar produced by BetterCloud, is a step by step guide to the fundamentals of GDPR. It covers the key concepts that a business (from an IT perspective) needs to know, what these new regulations mean for them, and what their next steps should be.

NOTE – this is not to be used in place of legal advice. It is highly recommend that you work with your own legal counsel to understand your risks and put together your action plan.

 

Sources:

https://www.eugdpr.org/key-changes.html

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s