Given that 50% of all exports from Ireland in 2014 came from the pharmaceutical sector it is fair to say that this sector plays a major role in Irelands economy. Ireland in 2014 was the 7th largest exporter of medicinal and pharmaceutical product in the world. There are approximately 120 overseas pharmaceutical companies with operations in Ireland, with 9 of the top 10 largest pharmaceutical companies setting up operations in Ireland.
Taking all this into account and with the new European General Data Protection Regulation due to be enforced from May 2018, we thought we should highlight what pharmaceutical companies should be aware of while preparing for the Regulation.
The GDPR – what does it mean?
The GDPR is a new piece of European data protection legislation, which will be enforced from 25 May 2018. It is intended to strengthen and unify data protection for all individuals.
It means you need to manage and protect all personal data you hold about employees, suppliers, clinical trial subjects and consumers.
Why do companies need to comply?
With fines of up to 4% of annual global turnover or €20m (whichever is greater) for companies that fail to comply with the Regulation, this legislation cannot be ignored. Ireland’s Data Protection Commissioner, Helen Dixon, warned that the reputational damage from suffering a breach may be even more damaging to firms than the fines that will be imposed as she vows to name and shame companies that suffer a breach.
Ensuring your organisation complies with the GDPR shows a good level of corporate governance and will also reduce the risk of legal action from individuals whose personal data you hold.
What types of personal data must companies manage and protect?
Pharmaceutical companies typically hold a vast amount of personal data, from employee data to that of suppliers and consumers, all of which must be protected. This will include:
- Data held in consumer/management systems
- Patient databases
- Employee HR files such as addresses (including email addresses)
- Banking/payment card data
- Dates of birth
- Medical records/medical screening forms
- Medical consent forms
- Consumer contact/communications records
- Supplier personnel data
What’s the first step towards compliance?
Companies need to ensure they have a register of all personal data held by the organisation. This register needs to identify which jurisdiction the data is held in, why the company is holding the data, how long the data will be held for, and how the company will either permanently delete the data or provide a full and correct set of all records held on any individual if requested.
A GDPR compliance framework needs knowledge and competence. Take the first step towards implementing the GDPR in your business by attending our certified EU GDPR Foundation and Practitioner training in Belfast, Cork or Dublin.