Recently, I wrote about Google’s $57 million fine for violating the now one-year old General Data Protection Regulation (GDPR) enacted by the European Union. While significant attention is paid when data breaches occur with large technology or consumer brands, pharmaceutical companies and those doing business with pharma are also subject to the same regulations. Fortunately, the U.S. healthcare industry is more prepared, given the strict HIPAA (Health Insurance Portability and Accountability Act) regulations in place since 1996. However, data privacy and cybersecurity are sophisticated and fast-moving and what worked yesterday won’t necessarily work for tomorrow.
At the heart of GDPR, the regulation tries to increase transparency. GDPR intends to give an individual more control over his or her personal data, while limiting who has access to it, and mandating notification within 72 hours if personal data has been breached.
Even the most well-intended organizations may work toward transparency but eventually pause when it comes to implementation, without a mandate requiring them to do so. In the near future, we may see mandates coming from the U.S. federal government or the consumers themselves. U.S. technology executives are already calling for national privacy regulation as today it varies by state, often with conflicts between different statutes.
As pharmaceutical companies shift focus from selling medications to providing care, and selling health and wellness, more opportunities for interaction with people and their data will occur. To prepare, consider the following data privacy actions:
1. More State, Local, and Federal Regulations: U.S. state and local regulations will accelerate around the protection of personal data. In the next 18-24 months, privacy in the U.S. will gain consistency versus separate state mandates and may have a consolidated federal date protection mandate.
2. A Demand for More Transparency: Consumers will start to understand their rights as it relates to their personal data and will demand more transparency. This could be used by companies as a market differentiator.
3. Increased Attention on R&D: Pharmaceutical companies will have more attention paid to their privacy protections during research and development.
4. Beware Action from Activists: Use of privacy regulations as a non-market strategy for activists may increase—moving forward it’s plausible we’ll see activists flood companies with data requests, which can grind business to a halt.
5. Impact on Pharmaceutical and Healthcare Targeted Advertising: Today’s hyper-segmentation trend may not be able to be sustained. Companies that provide this type of market data are struggling with privacy concerns and they may need to curtail the data they provide on individuals.