BHBIA New Data Protection Rules Pharma Company Perspective Guy Murray Director, Market Research & Analytics, GC&BI MR Operations and Compliance, MSD
Pharma Company Perspective Data Controllers Responsibilities Data Breach Notification Joint Controllers Contracts between Controllers & Processors Summary
GDPR defines a Data Controller as: the natural or legal person, public authority agency or other body which, alone or jointly with others, determines the purpose and means of the processing of personal data Data Controllers are responsible for the acts of data processing whether it carries out the processing activity or not GDPR expands on Controller s responsibilities for processing activities and sets out clear rules for the responsibility between Controller and processor
Data Controller s GDPR Responsibilities Data Controllers responsible for ensuring that any processing activities are performed in compliance with the regulations Governance Will be responsible for establishing internal governance, policy and procedures for data protection across member states Safeguards Must implement appropriate technical and organisational measures to ensure compliance and be able to demonstrate these Data Protection Impact Assessments Determine if required, carry them out and then implement appropriate technical safeguards Data Subject Requests Point of contact for data subjects and for supervisory authorities (e.g. for data breach notifications) Data Protection Officer will be appointed by pharma companies as they are processing sensitive personal data Main establishment in the EU needs to be identified and communicated No longer include Notification
Data Breach Notifications Controllers Must notify the authorities without undue delay and if possible no later than 72 hours after becoming aware Communicate personal data breach to data subjects if likely to result in a high risk to the rights and freedoms of individuals Controllers to document data breaches and provide to authorities
Joint Controllers There can be joint Controllers when two or more Controllers jointly determine the purposes and means of processing Joint Controllers must have clearly documented agreement detailing their respective duties Agreement must be available to data subjects Agreement may designate one Controller as point of contact for data subjects and supervisory authorities Data subjects and SA can still enforce against either Controller) Each Controller still has individual liability for compliance
Contracts Between Controllers & Processors Many organisation are updating master service agreements (MSA) and data processing contracts that have a personal data aspect to them Expect new contracts to be more rigorous as Legal, Privacy and Compliance groups ensure that GDPR Compliance is built in to all new contracts and MSAs As with current contracts we can expect to see standardised contracting to emerge - standard clauses and language
Contracts Between Controllers & Processors The contracts or agreements need to take into account the additional direct responsibilities in GDPR on Data Processors (e.g. data transfers) Processors must seek approval to appoint sub-processors Processors must seek approval to transfer personal data out of the EEA GDPR gives Controllers the right to audit the Processor
What to expect from Pharmaceutical Company Contracts and Service Agreements to meet GDPR Contracts will change - GDPR will be built in to future and current Master Service Agreements Expect MSAs /Contracts / agreements of work to include: Requirements for DPIA / Privacy / IT Risk and Control Assessments Documentation of specific processing, e.g. subject matter, duration, nature, purpose, type of data and categories of data subjects Joint Controller agreements Requirement for appropriate safeguards, technical and organizational measures (privacy by design) Provision in contracts for retention, return and / or deletion Data breach notification Requirements for inspection and auditing Liabilities, assurances and indemnities for legal action
Data Controllers must... Make sure you re trained, know what your responsibilities Determine whether your projects are in scope of GDPR Determine if a Privacy Impact Assessment is required, complete this before data gathering If special categories of data or large data sets are being processed then the Data Controller may require a DPIA Ensure contracts with joint Controllers and Processors contain right detail Build privacy by design and default into your projects Make sure explicit consent is gained for processing of health data Only require processing of necessary personal data Understand what is required of you for data subjects requests Understand your responsibilities for data breach notifications Maintain and store securely all personal data and all records