The new EU general data
protection regulation (GDPR) comes in to effect in May 2018 and represents the
most radical change in data protection legislation in the last 20 years. GDPR has been developed to reflect the
changing use of data in the digital world in which we now live, and is designed
to enable citizens to benefit from modern digital services, whilst providing
sound, well formulated and properly enforced data protection safeguards to help
mitigate risks and inspire public confidence in how their information is
handled by businesses, third parties, the state and public service providers.
Failure to comply will have
potentially catastrophic implications for companies, for two reasons:
1. For any breach, the UK regulator, the ICO, will be able to levy fines of up to €20 million or 4% of your annual turnover, whichever is the higher.
2. Breaches have to be notified to the data protection authority and in some cases the consumers affected, without delay. This leaves the business concerned highly exposed to brand damage and potential customer pay outs.
1. For any breach, the UK regulator, the ICO, will be able to levy fines of up to €20 million or 4% of your annual turnover, whichever is the higher.
2. Breaches have to be notified to the data protection authority and in some cases the consumers affected, without delay. This leaves the business concerned highly exposed to brand damage and potential customer pay outs.
Whilst pharmaceutical
businesses already have onerous MHRA compliance responsibilities to meet in
relation to the protection and integrity of data, many may still need to
broaden their security measures and precautions in order to meet GDPR, as well
as ensuring that they have in place the necessary written SOP’s and can provide
documentary evidence to demonstrate compliance.
So what do pharmaceutical businesses need to be doing to prepare for GDPR?
Well this is a big question and one I will be exploring in more detail in coming blogs, but to give you a flavour, the type of things you should be considering include:
1. Identify what personal data you are holding. Bear in mind personal data can be as simple as an individual's name, email address or reference number. This is vital because you need to be able to demonstrate that you are protecting this data and using it appropriately. So understanding what you have and where it is forms the first step towards compliance.
2. Identify threats to this data. This could include things like cybercrime, accidental loss by employees, deliberate theft by employees, industrial espionage, lost devices and unauthorised access to data. This is vital if companies are to avoid the substantial fines that can be levied for unauthorised access to, or disclosure of, personal information.
3. Invest in and implement the right technologies and business processes to deal with insider and external threats to data. This will involve a wide raft of technologies to provide protection from a range of different threats, coupled with effective, documented business processes. This is very important if you are to avoid data breaches and the associated potential for crippling fines and reputational damage.
4. Put together a new or updated data protection policy and train employees on it. This is important as everyone in your organisation needs to understand their obligations under GDPR and how to make themselves fully compliant.
5. Put in place processes for ongoing education for all members of staff around cyber security and data protection. Because the cyber security landscape is constantly changing, it is very important that employees are constantly kept up-to-date with best practice around security and data protection.
6. Create a breach notification plan. This is important because if the worst should happen, and you do experience a data breach under GDPR, you need to have a clear plan to deal with it and communicate it as smoothly and accurately as possible, and with the least possible damage to your business.
Over coming blogs, I will be exploring in more depth some of the
key issues around GDPR compliance for pharmaceutical companies. In the
meantime, if you are concerned about your business’ GDPR compliance position,
please do not hesitate to contact me on 0118 920 9600 or email jstratton@connexion.co.uk when I will be happy to arrange a no obligation conference call.
--------------------------------------------------------------------------------------------------------------------------
Established in 1994,
Connexion Ltd provides IT consultancy, IT services and IT support to mid-size Pharmaceuticals, Clinical Research
organisations, Biotechnology and Medical Device companies throughout the UK.
Our focus is on delivering IT solutions that create real value to our clients' businesses.
Working closely with our customers’ in-house IT Managers, our structured and
managed approach to delivering IT is paramount in ensuring our clients can
maximise the business advantages technology can offer them, whilst minimising
their risks and maintaining regulatory compliance. For more information about
our services for pharmaceutical businesses please visit our website http://www.connexion.co.uk/pharmaceuticals/
No comments:
Post a Comment