Chris Bowen, the Chief Privacy and Security Officer and Founder of ClearDATA, offers his insights on dealing with Europe’s General Data Protection Regulation (GDPR), and how “it got everyone’s attention.” He discusses how GDPR impacts innovative business initiatives adopted by pharma and biotech companies. Awareness of these global compliance requirements—and the implications they may have across an organization’s sites—has never been more critical.
When GDPR replaced the 1995 Data Protection Directive, it vastly increased the punitive nature of violating the privacy of EU citizens. The fines are substantial—up to 20 million Euros or four percent of an organization’s gross annual worldwide revenue. “It got everyone’s attention and forced a lot of efforts to make privacy consistent among the European Union than ever before,” Bowen said. “And it helped member states to update their own privacy legislation to be harmonious with GDPR.” Harmonious, but not homogenous. Some EU members, France and Germany for example, keep their own unique regulations in addition to those of the GDPR—complicating matters.
As GDPR celebrates its first anniversary, compliance still remains a top challenge for healthcare organizations—and for life sciences organizations in particular. In addition to complying with HIPAA, they also may need to focus on GxP—especially those in manufacturing, as with medical devices.
Life sciences privacy professionals are innovating with their data management policies to help their organizations match their data center locations with global compliance requirements. “They’re keeping the location of the data top of mind. If you don’t know where all your data lives, where it’s being processed, or who has access to it—you have a big problem, because you can’t protect what you can’t find,” Bowen said. “Within GDPR, EU citizens have ‘the right to be forgotten’—a request they can make of their information at any time. Can you guarantee that this Sensitive Personal Information can be erased across your entire data landscape?”
He continued: “International regulations sometimes require that data be kept within a specific geography. Requirements may require additional data safeguards to comply with ‘State of the Art’ principles outlined in the GDPR. Mapping sensitive and personally identifiable information is critical to prevent compliance drift.”
For life sciences organizations moving data or going cross border, Bowen stressed the importance of a data locality plan. “It helps you understand what your requirements are, how you need to operate, and how you need to prevent others from accessing your data—including things like key management strategies, and how your partners interact in that data lifecycle—from the point of creation to the point of archival and destruction.”
The GDPR’s most common violation is simply not having a legal basis for processing data. “It’s saying one thing and doing another,” he said. “Think about Facebook—that’s the key study in what not to do.”
To stay out of the GDPR’s crosshairs, Bowen had some strong advice.
“If you’re using the cloud—and you should be—don’t go it alone. Go with someone who knows these laws from a cloud perspective, and who has experience working within the geography of the EU—and beyond.
Get your Sherpa. Get your guide there to make sure you can do it appropriately.” He continued: “Have people dedicated to protecting that data and making sure they have a Data Protection Officer that’s qualified.”
Unfortunately, Bowen has seen some life sciences organizations who have not risen to the GDPR challenge. “Development teams of some life sciences organizations will just start developing tools to address healthcare problems without necessarily thinking about how those cloud and application requirements align to the requirements within GDPR,” he said. “Just because you’re doing business somewhere, doesn’t mean you can offload all of that responsibility to a cloud provider. You must have a shared responsibility model that enables you to operate with your data processors, your data controllers, along with your vendors that help you with that journey.”
Considering the time and money it takes to bring a drug to market, life sciences organizations cannot simply slow the pace of innovation. The consequence of delays are too dire: lost market advantage, financial hardship. Bowen believes the cloud offers an advantage in balancing GDPR with innovation at scale and at speed. ”An internal data center has to be built in a way that scales to peak usage. If compute is beyond what I have capacity for, then I can’t do the work,” he said. “On the other hand, cloud is really infinitely scalable, literally—and you only pay for what you use. You can scale up quickly at great volume as needed.”
“Public cloud providers spend billions of dollars on their capacities, and you pay for a fraction of that. Does your organization want to spend money on innovation or on cooling systems?”
Bowen then expanded on the cloud’s financial advantage. “It depends on certain factors, but if you look at the total cost of ownership of an internal data center, you’re paying for things you just don’t need to pay for directly anymore.”
Disruption is happening all around life science organizations. The challenge facing business technology leadership is recognizing that innovation strategies must evolve. A life sciences company’s ability to stay competitive depends on how fast it innovates, as well how it can stay on top of the GDPR’s regulatory requirements and manage the implications that various regulations may have across its sites.
