GDPR: Where We’ve Come, Where We are Going

Recently, I wrote about Google’s $57 million fine for violating the now one-year old General Data Protection Regulation (GDPR) enacted by the European Union. While significant attention is paid when data breaches occur with large technology or consumer brands, pharmaceutical companies and those doing business with pharma are also subject to the same regulations. Fortunately, the U.S. healthcare industry is more prepared, given the strict HIPAA (Health Insurance Portability and Accountability Act) regulations in place since 1996. However, data privacy and cybersecurity are sophisticated and fast-moving and what worked yesterday won’t necessarily work for tomorrow.

At the heart of GDPR, the regulation tries to increase transparency. GDPR intends to give an individual more control over his or her personal data, while limiting who has access to it, and mandating notification within 72 hours if personal data has been breached.

Even the most well-intended organizations may work toward transparency but eventually pause when it comes to implementation, without a mandate requiring them to do so. In the near future, we may see mandates coming from the U.S. federal government or the consumers themselves. U.S. technology executives are already calling for national privacy regulation as today it varies by state, often with conflicts between different statutes.

As pharmaceutical companies shift focus from selling medications to providing care, and selling health and wellness, more opportunities for interaction with people and their data will occur. To prepare, consider the following data privacy actions:

1. More State, Local, and Federal Regulations: U.S. state and local regulations will accelerate around the protection of personal data. In the next 18-24 months, privacy in the U.S. will gain consistency versus separate state mandates and may have a consolidated federal date protection mandate.

2. A Demand for More Transparency: Consumers will start to understand their rights as it relates to their personal data and will demand more transparency. This could be used by companies as a market differentiator.

3. Increased Attention on R&D: Pharmaceutical companies will have more attention paid to their privacy protections during research and development.

4. Beware Action from Activists: Use of privacy regulations as a non-market strategy for activists may increase—moving forward it’s plausible we’ll see activists flood companies with data requests, which can grind business to a halt.

5. Impact on Pharmaceutical and Healthcare Targeted Advertising: Today’s hyper-segmentation trend may not be able to be sustained. Companies that provide this type of market data are struggling with privacy concerns and they may need to curtail the data they provide on individuals.

  • David Ross

    David Ross, Principal and Cybersecurity and Privacy Practices Leader, has been with Baker Tilly Virchow Krause, LLP since 2017. David joined Baker Tilly Virchow Krause from an international accounting firm’s cyber risk practice, where he provided strategic insight, service design, business development, and engagement leadership. Previously, David was General Manager of General Dynamics Commercial Cyber Services, where he was not only responsible for the design of the business, but also the launch and management of the new commercial organization.


You May Also Like

The 2015 PM360 Elite

We are proud to present the winners of our first annual PM360 ELITE Awards. ...

Want a Better Brand Website? Then SHOEs and CRM Are Your Solution

We all know about customer relationship management—CRM. It’s a way of storing and using ...

Pharma Has a Pull-Through Problem—The Answer is Data

Most market access teams at pharmaceutical and biotech manufacturers have the same problem: evidence ...