Right about now everyone is asking, “What could the European Union (EU) General Data Protection Regulation (GDPR) cost my business?” The answer is simple. For some people, a violation could mean the death of their company.
GDPR, which was four years in the making, will take effect as law May 25, 2018. Mark your calendars, life science companies. This law is significant and relevant to any business that has interactions with Europeans. It covers how organizations process, store, and secure personal data.
Particulars of the Law
GDPR intends to strengthen and unify data protection for all individuals residing in the EU and also relates to the export of data outside the EU thereby extending the law to all foreign companies processing data of EU residents.
Organizations operating in the life sciences and healthcare sectors will be highly affected by these new regulations. Obviously, life science companies collect and either store or use large amounts of personal data for patients and clinical trials. Indeed, any company capturing data of those in the EU must comply.
This could include information about a person’s health, age, birthday, and identification numbers. You may have this data for those participating in clinical trials or employees with human resources files. You might even have some of this personal information if you’ve ever asked customers to fill out forms to get additional information or sign up for a newsletter, depending on the extent of your data collection.
Requirements That Matter
The law applies both to organizations within the EU and those outside the continent who process personal data because they offer goods and services or monitor the behavior of data subjects based in the EU.
Anyone in the EU, regardless of citizenship, is protected. Because of the law’s wide parameters, those companies outside the EU will be impacted, too. That means many, if not most, life science companies need to pay attention.
What some have not realized yet is the obligation companies, with any of these ties, have to appoint a representative in the EU, according to Ropes & Gray, a law firm that specializes in representing business and finance organizations. The representative will be responsible for compliance with GDPR, specifically the processing and storage of personal data of those in the EU.
You must protect any data, regardless of where it is sent or stored, which can lead to the identification of any living EU individual, according to the law. In addition, you must verify the protection by providing proof you took appropriate action.
What GDPR Means to You
Now is the time for life science and healthcare organizations to get on board. You should be putting in place policies and procedures that ensure the data privacy protections stipulated in the law. By working ahead of schedule and making this part of your default system, you are embedding these safeguards in your culture. In other words, they will become second nature to members of the organization.
Non-compliance could cost a company millions in fines. In fact, the authorities could fine you as much as 4 percent of global sales or 20 million euro (roughly $23.6 million at the time of writing), whichever is higher.
U.S. multinational companies are motivated by the possibility of steep fines and punitive injunctions. More than half of the 200 respondents to PwC’s recent survey on GDPR preparedness, said readiness for the law is the highest priority on their data privacy and security to-do list.
What’s more remarkable is how much companies are investing to protect themselves against committing violations. Of the respondents, 77 percent said they plan to spend $1 million or more on GDPR compliance. PwC warns companies that if they have not begun to prepare, they are already behind the times.
How We Can Help You
In today’s global economy, many life science and healthcare related companies have connections to Europe. While some companies are looking to de-identify Europeans to avoid having to comply, it is not a viable option for many. Certainly, compliance with this law may cause a company to reevaluate its relationships in Europe. But you are committed to growing your business and being a global player. You can’t give up now. We get it.
MediSpend has been keeping tabs on GDPR from the very beginning. We can help you ensure your data is mapped correctly and information on your clients and employees is in compliance with GDPR. As the clock ticks down to its inception in May 2018, we are helping clients prepare.