By Kim Roberts, Counsel at King & Spalding and Tim Robinson, General Counsel at MediSpend
One of the consequences of the European Union’s General Data Protection Regulation (GDPR) is the rise of individual rights. This means companies have to consider more than just government-led investigations and enforcement actions. This data privacy legislation gives power to the people. Many expect non-governmental organizations (NGOs) and activists to use the new law as a means of taking on those companies they believe have been abusive for years.
To start, you must understand what GDPR is and from where it comes. The EU includes control over data as a fundamental right of individuals in its Charter of Fundamental Rights. So, the introduction of a law like this, which reins in companies that are collecting more data than ever thanks to advanced technology, is expected.
Why GDPR Carries Weight With Companies
One of the reasons companies are paying attention is the extent of the possible fines for violators. Severe violations of GDPR can cost up to 4 percent of annual revenue or 20 million euros (whichever is higher). For smaller companies, such a fine could be a death sentence. The fact that individuals could bring complaints using GDPR’s extensive rights is more reason for compliance.
Life science companies and their use of data might not be as high profile as the tech behemoths. However, pharmaceutical and biomedical device companies that possess personal data of EU subjects for medical studies or prescriptions must comply. Aside from being the right thing to do, compliance will shield them from the risk of hefty fines that are a realistic consequence of GDPR violations. And transparency around how data is used and giving individuals informed choices about the use of their data could help restore trust in consumers.
How NGOs Are Already Using GDPR in Their Activism
Two organizations took aim at tech giants on May 25, the first day GDPR came into effect. NGO noyb.eu accuses Facebook and Google of forcing consent upon users, according to Fast Company. In addition, the French group La Quadrature du Net similarly accused seven companies, including Facebook, Google, Apple, Amazon, and LinkedIn of “forced consent” policies, according to Martech.
GDPR set out stringent conditions on the requirements for freely given consent and provides users with many rights. They can ask companies to explain how they use their data or remove it from their records all together. Now that GDPR has arrived many experts expect NGOs across Europe to target industries they feel have been historically abusive with their use of personal data. Certainly, life science companies should feel vulnerable to possible requests (which could be made on behalf of large groups) and to litigation.
What the Rise of Individual Rights Means for Life Science Businesses
While the law is still too young to have created much precedent, one ruling is already providing tea leaves for the future. The German regional court of Bonn ruled on the principle of data minimization just days after the May 25 launch of GDPR. This refers to the requirement of companies to limit the processing of data to only the information required based on the purpose of the processing. The decision, experts warn, means companies have to be steadfast in only asking for data points they absolutely need to achieve the business purpose.
About half of EU and U.S. companies are not yet GDPR ready, according to a recent survey. Those that are ready tend to be from the technology and financial services sectors. Retail and manufacturing have some catching up to do. Many businesses have expressed worry about being unable to understand the law and properly comply as well as the extent of the new obligations..
Some of the EU regulators have already expressed that, in certain circumstances they may be willing to overlook minor errors or the inability to be fully GDPR ready as of May 25, as long as companies can demonstrate they are working toward full compliance. In other words, now is the time to get on board and start a compliance program, or take those extra steps to complete it—or risk the consequences.