With new European General Data Protection Regulation (GDPR) slated to be enforced from May 25, 2018 to strengthen data protection for all European origin individuals and businesses, the Indian pharmaceutical industry with operations in EU or having distribution partners, CROs, software vendors etc in Europe are rushing against time to comply with new data protection regulation.

GDPR applies to all companies processing the personal data of subjects residing in the EU, regardless of the company’s location. As per GDPR, a company cannot collect, record, structure, store data of EU citizens and businesses without their consent. It restricts the transfer of personal data to any third country or international organisation lacking adequate level of protection. A firm having data of EU employees, suppliers, clinical trial subjects and consumers etc are required to appoint a data controller to ensure the existence of appropriate safeguards, which may include encryption or pseudonymization.

Non-compliance can result in a fine of either EUR 20 million or 4% of turnover, whichever is higher.

Pharmaceutical companies hold a vast amount of personal data which includes data held in consumer/management systems, patient databases, employee HR files such as addresses (including email addresses), banking/payment card data, medical records/medical screening forms, questionnaires, medical consent forms, consumer contact/communications records, supplier personnel data etc. All of these need to be protected post GDPR, said Anand Iyer, business manager, UL India Pvt Ltd.

Companies are required to have a register containing all personal data held by them. This register contains details on jurisdiction of data, reason for holding data, duration of data storage and clarity over deletion of data or sharing correct set of all records held on any individual if requested, he added.

With two months remaining before GDPR kicks off, this is an opportune moment for companies to relook into their policies pertaining to data privacy and protection and put in place data protection system in advance. The GDPR compliance will show good corporate governance and will also minimise the risk of legal action from individuals whose personal data the companies hold. Even domestic companies lacking presence in EU can not ignore this legislation in this globalised world, said Iyer.

To avoid running into the legislative issues post GDPR, the marketing firms can utilise a window of opportunity between now and May to get their contacts database in order. They can contact people regarding their approval to receive communications. It will pay dividends to them in the second half of the year when they will be able to continue marketing campaigns unhidered by compliance issues, said Anil Chiplunkar, associate director- information security, Sciformix Technologies Pvt Ltd.

The GDPR was passed by the EU Parliament in April 2016. It replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe. It aims to protect EU citizens from privacy and data breaches and bring changes to the way organizations across the region approach data privacy.