“It’s 25th May 2018, And I’m Not GDPR Compliant. Now What?”
Violating the General Data Protection Regulation (GDPR) will be a form of self-punishment for medical drug and device companies, especially those headquartered in the EU.
We’re not just considering the substantial monetary penalties involved. There’s also the reputational risk, litigation and poor goodwill to consider, all of which will affect such organizations for the long-term, and impede their competitiveness in an industry which is already very competitive.
Despite the clear implications of not being GDPR compliant, not all companies will be ready with a program on 25th May 2018.
According to a survey qordata conducted during the Life Sciences GDPR Bootcamp, none of the compliance/transparency professionals indicated complete readiness, though 7.14% stated readiness at 90%; of the respondents, 14.29% said they were “not engaged in a GDPR Project.” This was further discussed in a webinar with Brian Sharkey, JD; Vice President, Porzio Life Sciences, LLC.
What should such companies do?
As we learned during the webinar, the first step, in this case, would be to give evidence of cooperation with the Regulation. Even some state of preparation is better than none.
Pharmaceutical companies should prioritize data needs of their subjects. i.e. With a good data mapping exercise, they can identify—at least preliminarily—which category of stakeholders would be most interested in immediately exercising their data rights, and to have systems in place for that. Identifying which data right takes priority is also something which should surface after a good GDPR Risk Assessment.
Companies that are most likely to come under fire are those who have given evidence of irresponsibility and insensitivity to the data rights of natural persons in the past. A history of data breach, stolen data, obsolete data that did not follow the correct data destruction protocol are all red flags regulators will be looking for.
The second thing to consider is the degree of interest such organizations have taken towards remedial measures. Have they invested in stronger data security structures? Have they done enough to improve internal compliance measures?
If you’re a medical drug/device company based out of the EU, these are questions you need to start asking. “The sooner the better,” according to Brian Sharkey.