Why GDPR is an Opportunity for the Pharma Industry
With GDPR coming in to affect on 25th May 2018, we are all preparing our companies and client projects to ensure compliance, but how will GDPR affect the health technology landscape moving forwards? and how can we ensure we can continue to support our customers and patients with innovative technological interventions?
I’m going to go right ahead and say I’m not an expert on GDPR but like all companies we are experiencing the pains of negotiating the new legislation and what it will mean to our clients and our technology projects moving forward, but where I think there is a general feeling of impending gloom and nervousness, I don’t think it’s really all that bad at all!
GDPR Forcing More Aligned Projects
I do think we are likely to enter a period of uncertainty where regulators and legal teams will require and demand more from their agencies on the specifications for the projects they are proposing. And this I think is a good thing. It will finally force agencies to think more carefully about the projects they are proposing and why, how they will work and how they can still provide patients and HCPs with the same service, despite them not consenting to their data being stored.
This will challenge pharma too, as data and the insights that this could provide was a big driver for commissioning digital programmes. Anything from what we believe our customers are interested in using CLM platform reports to insights and usage data from patient support programmes. All will now be challenged by GDPR legislators and rightly so – because I believe it gives us as industry an opportunity to challenge ourselves to ensure we are doing the right thing, building tools of genuine value and service to our customers and patients. If this is true, then why would someone decline for their data to be used?
The Regulatory and Compliance Learning Curve
My career in this industry grew up in the age of technology nervousness and a desire from compliance teams for clarity from our regulatory bodies. With the response always being ‘If you are doing the right thing, and can provide evidence to support this, you should be ok, but you’ll never really know until you end up in court’ pharma has understandably sometimes been nervous to take deep strides in to the technology arena.
As experience has widened and pharma has become bolder in recent years, developing more sophisticated tech solutions to solve problems in health and medicines management has become more commonplace. However, I do have a slight concern that GDPR will introduce a regression back to the aforementioned nervousness and question the impact this could have on innovation. This is another challenge that I believe will be overcome through strong partnerships with not only agencies who understand this new world and can wholly support their clients, but the communities that these projects aim to serve. Ultimately if the initiative is aimed at doing the right thing, the devil is in the detail, rigour, paperwork and evidence to back that up.
Why Aren’t We Doing This Already?
According to the ICO1‘Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA)’,
So if we are complying properly with the current law then most of the our procedures and scoping practises should be the same, save for a few additions, which I think will benefit our programmes for the good moving forwards.For example, we need to be specific about the data we are collecting, ensure that it is for legitimate purposes and is not processed any further than those that are deemed legitimate and stated.
This can be accomplished early and upfront in the scoping stages of any technical development project, and working closely as an MDT with all teams, including legal, regulatory, compliance and marketing upfront in the development of the project, will make this process far easier and help us to consider all aspects of the programme much sooner in its development life-cycle.
We need to ensure all data collected is accurate, up to date and is still in the control of the owner (right to erasure – not the band!), again, this will be a new process we will indeed need to navigate, for example, if a user wants to remove their data from one element of a programme but not others we will need to outline a process for accomplishing this, but few other industries are as in touch with the need for absolute accuracy when it comes to data than pharma, so again: we are already in a really good place for considering what this looks like when the same rigour is applied to our technology projects.There are many more clauses like these, I could go on for ages but I fear it will bore to tears and I think I’ve made my point – we ARE already doing lots of these things, and if you’re not? you may be working with the wrong companies! So I will move on…
This is again of the highest importance when the data we are asking HCPs and patients for can often be Sensitive/Personally Identifiable Information (SPII/PII) even when encrypted, this is not immune to hacking and decryption from bots. If we are proposing solutions where we need to collect this level of data to offer our users a tailored experience, or provide information relevant to them based upon biometric inputs (for example) then we need to be clear about every aspect of this data: where it is stored, how it will be encrypted, why we are collecting it (data relationship/impact analysis) and make every effort in our security implementations to protect it.
There are far too many solutions currently out there, not just from pharma, but people trying to do good things for the healthcare tech environment, that currently do not protect this data adequately enough and leave themselves open to data breaches – I’ve seen them first hand and how easy it is to hack them. This is such a shame because these are solutions that really are trying to do the right thing. However, even with some of the most sophisticated security interventions in place, companies are not invulnerable, even MyFitness Pal experienced a massive data breach last week leading to potentially 150 million accounts potentially being exposed.
No one is immune, but GDPR is forcing the issue of security further upstream. Security systems need to be again considered, understood through feasibility and risk assessments and finally documented with the MDT upfront in the scoping phases.
I really think GDPR will not inhibit us but instead provide us with many more opportunity to challenge ourselves and the healthcare environment. I hope it will lead us to tech solutions being proposed and developed that are much more relevant and supportive of HCPs, patients and their carers as well as their pharma sponsors.
Deeply considering all aspects of data management for health technology projects upfront means we will be in a great place to continue to develop thoughtful interventions that can really impact and make a difference in someones life way in to the future, and that can only be a good thing.
1. https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf2 https://www.forbes.com/sites/tonybradley/2018/03/30/security-experts-weigh-in-on-massive-data-breach-of-150-million-myfitnesspal-accounts/#14835e933bba