With Digital Minister, Matt Hancock, having now formally announced the government’s intent to overhaul its data protection laws, in the form of a new Data Protection Bill, which will enshrine the EU’s forthcoming GDPR into UK law, as well as helping to prepare the UK for the future after Brexit, I thought today it would be useful to expand on some of the actions that pharmaceuticals businesses need to be taking in order to ensure they are compliant with the new legislation.
Those of you who read my recent blog, GDPR in Pharmaceuticals – 6 top tips for compliance, will have seen that I talked about the need to identify what personal data you hold, and this is something I wanted to elaborate on today, particularly in relation to knowing where that confidential data is stored.
This may sound like an odd topic, as I'm sure many of you are thinking you know exactly where all your company’s confidential data is held. But do you really?
A pharmaceutical company’s data is precious, and much of that data is personal, including names and contact details for your clients, prospective clients and your staff, medically confidential details of personal patient health information, clinical trial data, not to mention a wealth of commercially confidential details of contracts, agreements, research, IP and email correspondence. Let’s bear in mind that the scope of what constitutes personal data under GDPR will also be expanded to include all kinds of personal identifiers – not just names – so things like IP addresses, DNA and reference numbers will also be counted as personal data. As such, it becomes clear that the vast majority of a pharmaceutical’s data is likely to fall under the scope of the new legislation.
And the scary reality nowadays is that your business data may be scattered across the world. Yes, some of it will certainly be residing (hopefully securely) on your in-house servers. But what about the proliferation of company and employee owned portable devices such as laptops, tablets and smartphones which now hold company data or emails? Or data that has been copied to removable media such as USB sticks? Or data that has been shared with business partners and other third-party organisations? Or copies of data taken for backup purposes?
Then there is the cloud. The cloud has revolutionised the way many businesses store their data, but in doing so has also globalised the way data is stored, with many providers distributing data across servers worldwide in order to optimise costs.
So do you really know where all your data is held? And does it matter?
Well the more widespread and less controlled your data is, the more vulnerable you leave your business to a breach of data security. And under the new data protection bill, any such breach leaves businesses open to potentially crippling fines of up to £17 million and immeasurable reputational damage. In addition, the legislation grants EU citizens the “right to be forgotten”, allowing them to request that companies delete their personal data from any records; therefore being able to identify what data is held and where it is, is vital for compliance.
If your data is very disparate, you may wish to bring it together in one secure, central repository in order to make it easier to control and manage. Luckily nowadays there are technologies that facilitate this; for example we have built several of our clients their own private cloud solution where all their data is brought together in one secure, central, UK-based repository, where they and their authorised business partners can access it securely wherever they are, without the source data ever leaving the security of the UK-based data centre.
For other clients, where data is generally central, but perhaps also resides on some mobile devices too, we work to implement business processes and technologies to prevent data leakage and manage mobile devices.
Either way, it is paramount to put your business back in control of its data, knowing both where it is and who has access to it. This in turn needs to be documented, both so that the Board have understanding of, and control over, their data and to provide documentation for compliance and audit purposes. This not only puts businesses back in control of their valuable data, but minimises the risk of a security breach and takes the first step towards preparing for GDPR compliance.
Should you need help on assessing your readiness for GDPR or advice on technology solutions that will provide GDPR compliance, please do not hesitate to contact me on (01494) 444065 or email gary.swanwick@epoq-it.co.uk
Epoq IT work with small and medium size pharmaceuticals businesses, providing consultancy, methodologies and technologies that bring clarity and give control over IT back to the business – putting the business in the driving seat of IT spend, compliance and security. For more information on our services please visit our website http://epoq-it.co.uk/pharmaceuticals
