Kari Miller, Regulatory and Product Management Leader, Pilgrim Quality Solutions, an IQVIA company
EU GDPR — The Week is Here!
The General Data Protection Regulation (GDPR), approved by the European Parliament and Council in April 2016, replaces the Data Protection Directive 95/46/ec at the end of this week, on May 25, 2018. It will become the primary regulation protecting all European Union (EU) data subjects from privacy and data breaches in a world driven by data — a world very different from the time in which the 1995 directive was established.
GDPR has received tremendous attention, not surprisingly, as it has strong impact on IT management of personal data, especially with regard to data encryption, security, auditing of technology-enabled processes, and access management. The cost of non-compliance is high, and in the case of GDPR, the impact is very strong indeed.
The major changes resulting from the enactment of EU GDPR are:
- Increased Territorial Scope: The General Data Protection Regulation will be applied to the processing of personal data of EU data subjects.
- Higher Penalties: Organizations in breach of GDPR can be fined up to 4% of annual global revenue, or €20 Million (whichever is greater).
- Enhanced Consent Requirements: Data subjects must now affirmatively consent to providing personal data (rather than opting out as they have in the past). The request for consent must be given in an intelligible and easily accessible form; no more unintelligible legal jargon. Additionally, withdrawal of consent must be simple to perform.
Understanding the rights of the data subject is also important as there have been several enhancements in that area:
- Transparency: Data subjects may ask for and obtain a copy of their personal data (in electronic format), as well as confirmation of their data’s utilization and for what purpose.
- Data Erasure: Data subjects have the right to be forgotten, i.e. data erasure and cessation of data usage and dissemination.
- Breach Notification: Notification is mandatory in all member states where the data breach results in a risk for the rights and freedoms of EU persons.
- Privacy by Design: This is not a new concept, however, now it is regulation in the EU. The regulation requires organizations to “implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation” (GDPR).
- Data Protection Officers (“DPO”): A data protection officer must be appointed when an organization’s core activities include the collection of personal data (definition follows). The DPO must provide advice about, and monitor compliance with, the regulation.
Those customers that target, monitor, or otherwise process the personal data of individuals in the EU will need to understand the impact of GDPR on their organization. If an organization sells products or services to persons in the EU, even if the organization is not physically located in the EU, compliance with GDPR is required. Put simply, if an organization processes or stores data of EU citizens, GDPR covers their personal data.
Quality Management System Considerations
Life Science organizations are likely to use Quality Management Systems (QMS) where personal data is stored. So how is personal data defined? “Personal data,” per the GDPR, means any information relating to an identified or identifiable natural person. Identification may be direct or indirect via one or more identifiers, such as a name, an identification number, location (address), on-line identifiers (email address, social media profile names, etc.), or factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of the person.
Complaint solutions gather some data that is considered personal data as it is required for regulatory reporting to the EU, the U.S. Food and Drug Administration (FDA), and other regulatory bodies. There are a few other regulatory data fields that fall into the realm of personal data, i.e. race/ethnicity, gender, age, and weight. This data is required for regulatory reporting of adverse events.
Work with your organization’s legal counsel to ensure the data collected in your QMS adheres to EU GDPR principles while maintaining compliance to regulations such as the EU’s Medical Device Regulation. Legal counsel may give guidance in regard to “pseudonymisation” of the personal data required for regulatory reporting. Pseudonymisation means the data should be processed in such a way that it can no longer be attributed to a specific data subject without the use of additional information (which must be stored separately). Companies need to do everything possible to ensure that personal data does not lead to individual identification, while remaining compliant with the regulatory authority’s requirements.
Organizations will also want to work with their IT staff or cloud provider to ensure that their Quality Management System data is secure. Below are a few items each organization should review:
- Authentication: Ensure your QMS uses strict authentication and authorization rules for granting user access to the system.
- Data Validation: Inbound Data should be validated and encoded to provide protection against Cross-Site Scripting and SQL Injections.
- Encryption: Sensitive Data Exposure should be addressed with data encryption. Data should be encrypted both when in motion and when at rest.
The above elements play a key role in ensuring that your organization’s Quality Management data is secure, a key element of GDPR compliance.
We’re All in This Together
GDPR has a broad impact on many industries and organizations. It is particularly going to impact companies that do business with entities in the EU, even if their company is not physically located in the EU. For Life Sciences companies, your organization’s Quality Management Solution (QMS) is a tool used to achieve quality and regulatory compliance. Each organization must determine what policies and procedures need to be put into place to achieve EU GDPR compliance readiness. Then your organization needs to use your QMS in a manner that is consistent with those policies and procedures.
Ultimately, it is up to each organization and their legal and privacy teams to decide how to interpret EU GDPR, and all things GDPR-related, determining what is right for their organization. The bottom line is that your QMS should be reviewed in light of the new EU GDPR, balancing the needs of regulatory compliance and the privacy called for by EU GDPR. Pilgrim Quality Solutions is here to help. Don’t wait to call us.
GDPR Fact Sheet
Take a look at our preparations to meet the new requirements.