Ashley Slavic details how Veeva Systems prepared for the EU data protection regulation, and what others can learn from the experience
How Veeva Systems prepared for the EU data protection regulation, and what others can learn from the experience
This year marked the beginning of enforcement of the General Data Protection Regulation (GDPR), one of the most significant changes in data protection laws in more than two decades. The GDPR prompted organizations around the world to evaluate the customer data they collected and processed, as well as address internal business processes and practices.
At Veeva, we realized that GDPR compliance was not simply a legal challenge or an IT project, but an enterprise-wide priority requiring a robust and comprehensive approach. That view informed our approach when we set out on our GDPR compliance journey back in 2015, when the law was still in draft form. Here are the steps we took towards GDPR readiness and why we consider each new regulation to be a positive catalyst for change.
Intended to harmonize national data protection laws across the EU and give greater protection and rights to individuals, the GDPR is designed to make companies more accountable for how they process personal data. It expanded the territorial scope of EU data protection regulation to companies processing the personal data of EU residents, regardless of the company’s location. By giving individuals in the EU greater control over how their data was being used through stronger and more specific rights and introducing stringent penalties for non-compliance, the GDPR drove companies to review how they interacted with individuals and how they managed consent. While many companies found it difficult to interpret and complicated to address in practice, according to a recent survey by TrustArc, 65% now view GDPR as having a positive impact on their businesses.
We took the view that we could embrace the flexibility to better adapt our approach to the needs of our customers. The GDPR sets out the principles for data protection and privacy, but it was up to us to decide the best way to apply them to our business.
As a provider of multitenant cloud solutions, the importance of privacy and security is part of Veeva’s DNA, and it is something we regularly discuss with our customers. The overarching principles of the GDPR, therefore, are an extension of something already familiar to us – but we knew we needed to adapt to the key principle of accountability. This meant putting the necessary documents together to enable us to be more transparent about our data processing activities and even more rigorous in our risk assessments. And so, our roadmap began.
Clearly understanding your company’s role as a data controller or a data processor is critical to determining your approach to GDPR.
With the previous EU Data Protection Directive of 1995, legal responsibility rested primarily on the data controller, but the GDPR stipulates shared responsibility between the controller and the processor. Under the GDPR, the controller determines the purpose and means of processing personal data, while the processor is responsible for processing personal data on behalf of the controller in accordance with its instructions. Processors now must maintain records of personal data and processing activity, and they have liability for data breaches. Controllers must ensure their contracts with processors include all of the cooperation obligations.
Like many companies, Veeva acts as both a data controller and a data processor. For Veeva CRM, Veeva Vault, and Veeva Network Customer Master, we are a data processor because we provide our customers with solutions to manage their customer data. For Veeva OpenData and Veeva Oncology Link, we are the data controller because we make decisions on which data is collected, how long it is stored, and to whom it will be transferred. Our Veeva OpenData customers are joint data controllers because they also determine how this data will facilitate their business needs. Veeva Oncology Link is unique in that EU customers may view our data universe via a software platform, but they do not take on the additional role of joint data controller thanks to a read-only functionality that negates their legal responsibility for control. Furthermore, we are a data controller for all of our European employees, customers, and partners.
Historically, privacy fell under the security team’s umbrella, but a fundamental turning point in our GDPR journey was appointing a dedicated data protection officer (DPO). Under the GDPR, a DPO is mandatory for any entity involved in processing data on a large scale. Additionally, it is a business imperative and common sense to have a single point of contact to oversee privacy.
A US- and French-trained attorney, I joined Veeva in 2015 as lead data counsel and global DPO. Although data protection had not yet gathered the attention it demands today and the GDPR was yet to be ratified by the European Commission, I gained certification as an EU data protection officer, becoming one of the first within our industry to hold the title. Based in our Paris office, I began to set out a roadmap to leverage our existing privacy and security controls in order to elevate Veeva’s role as a data controller and processor and trusted partner to the life sciences industry.
Over the years, Veeva has built a strong quality compliance, security and privacy team that works in close coordination with IT, operations, and legal.
Since security is integral to what we do, we hold regular security council meetings with executive management and engineering to continuously advance our security program, and we have a security point-of-contact list with experts embedded in our development teams.
However, to bring privacy to the next level, we realized that we needed a critical mass of people dedicated to GDPR. We decided to create a network of privacy champions made up of individuals in leadership roles whose jobs demanded deeper understanding and knowledge of data protection, or who demonstrated strong understanding of the regulations. These people became the points of contact for their teams – and integral to turning GDPR compliance from a potential add-on to an employee’s day job to something second-nature for every individual across the organization.
While it is important that everyone has a basic understanding of what data protection means, not everybody needs the same knowledge for their role. So, the first task was to identify those within the business whose positions required them to understand the GDPR at the level best suited to their work: product managers, customer service managers, and customer support staff, for example. Once these people joined together around privacy, we created content-specific guidance on the GDPR in the context of Veeva’s own values and aligned with industry best practices, which are now available to all teams.
The true measure of GDPR compliance is whether it permeates the culture at every level, not only from a top-down mandate of the DPO or the legal team. With our Veeva privacy champions group and a "train the trainer" approach, we are already seeing this cultural shift. Our privacy champions are not only consolidating knowledge transfer of the GDPR across our organization, but also helping to bridge the gap that can exist between compliance and strategy. And of course, having people who really understand the impact and implications of the GDPR means we can identify and address potential risks across the business earlier – which enables us to be much more proactive in terms of GDPR compliance.
As a company, we worked hard to communicate both the intricacies and the impact of the GDPR to employees and, in turn, our customers, in a way that would make sense to them. Once individuals think about how they use personal data – and, indeed, how their own data is used – a shift towards individual responsibility and accountability emerges. Training plays a big part in this – considering the GDPR is such a wide, far-reaching topic, tailoring the right information to the right audience is essential.
As DPO, one of my jobs is to help design interactive, online, role-based training that will resonate with each individual in terms of their day-to-day work. Every team is given a slightly different training program, depending on how the GDPR impacts its area of business. We also provide ad hoc, face-to-face training around particular issues, plus events and webinars focused on our GDPR approach.
Interestingly, in a recent TrustArc/IAPP survey, respondents were asked to rate the risks of GDPR non-compliance, then identify what actions they could take to mitigate those risks. Investment in training came out as the number-one action item for risk mitigation, addressing 10 of the 11 GDPR-compliance risks. The power of training and reinforcement cannot be underestimated.
Signing on the Dotted Line
The GDPR stipulates that there must be a contract in writing between the controller and processor which clearly sets out the subject matter of the processing and its duration, as well as the nature and purposes of processing, the types of personal data, any particularly special categories of data, and the obligations and rights of both parties. Failure to have a suitable data processing agreement (DPA) in place is a breach of the law under the GDPR.
The fact that controllers must be very precise with their processors regarding cooperation on a variety of different aspects impacts not only our customers, but also our partners and vendors. So, we have spent a lot of time working closely with these stakeholders to make sure we are aligned with the required documentation in place.
It is important to remember that May 25, 2018 was not a deadline, but the starting point for the new era of protection of personal data in the EU. Notably, the draft of the EU ePrivacy Regulation, which is expected to enter into force by 2021, will focus more specifically on the privacy of electronic communications. Additionally, companies selling data on California residents must now be mindful of how they will comply by 2020 with requirements there.
With each new regulation, we seek to focus on the positive aspects of what compliance could bring. This mindset gave us a chance to step back and look at what we achieved and put our mission into perspective – building the industry cloud for life sciences is bound by a data-centric approach. We can now see a much deeper level of transparency with our customers and those whom they ultimately serve – patients who need life-saving and life-prolonging medicines.
Transparency promotes trust. Creating trust is valuable on so many levels across the data lifecycle. To benefit from optimal care, patients need to trust that their healthcare professionals have the most accurate and up-to-date details about treatments they receive. Healthcare professionals need to feel confident that life sciences companies will treat their information in a fair and responsible way. We believe that focus pays off, and we will not lose sight of the importance of protecting that trust.
GDPR Checklist: How Are You Maintaining Compliance?
1. Check in with your data protection officer: how can you help?
2. When are you acting as a data controller?
3. When are you acting as a data processor?
4. How do you manage consent?
5. Do you transfer data outside the EU and, if so, under which mechanism?
6. Have you read your company’s privacy notice?
7. Have you asked each vendor for a GDPR processing agreement?
8. How will you manage data-subject rights?
9. What is your company’s incident-response plan to manage breaches within 72 hours?
10. How can you contribute to GDPR accountability?
Ashley Slavik, CIPP/US, CIPP/E is Data Protection Officer & Lead Data Counsel at Veeva Systems.