Ashley Slavic outlines the preparations for the new EU data protection regulation, and what others can learn from the experience
As one of the most groundbreaking pieces of European Union (EU) legislation in the digital era, the General Data Protection Regulation (GDPR) represents the biggest shake-up of data protection laws in more than two decades. Viewed with anticipation by some and trepidation by others, the GDPR is prompting organizations around the world to evaluate the customer data they collect and process, as well as address internal business processes and practices.
With the enforcement deadline of May 25 rapidly approaching, many life sciences companies will have already come to realize that GDPR compliance is not simply a legal problem or an IT project, but an enterprise-wide issue requiring a robust and comprehensive approach.
That was the view taken by Veeva Systems when we set out on our GDPR compliance journey back in 2015, when the law was still in draft form. Here, I explain some of the steps we took towards GDPR readiness and why we consider the new regulation to be a positive catalyst for change.
Intended to harmonize national data protection laws across the EU and give greater protection and rights to individuals, the GDPR is designed to make companies more accountable for how they process personal data. It expands the territorial scope of EU data protection regulation to companies processing personal data of EU residents, regardless of the company’s location. The GDPR introduces important new requirements about valid consent, in addition to giving individuals in the EU greater control over how their data is being used through stronger and more specific rights. And it introduces stringent penalties for non-compliance, with fines of up €20 million or 4% of turnover (whichever is greater) for violations.
Despite the two-year grace period allowed by the European Commission since it enacted the regulation in April 2016, many companies are concerned that they will not be GDPR-ready by the deadline. In a recent survey[1] of almost 500 privacy professionals in the US and EU, only 41% of companies felt that they would be fully GDPR compliant by May 25, with complexity of the law cited as the biggest obstacle.
The legislation is indeed complex and lengthy. The GDPR text, spanning 87 pages and comprising 99 articles, is considerably longer than the 1995 Directive 95/46/EC that it replaces. It’s little wonder that many companies find it difficult to interpret and complicated to address in practice – not least because it deliberately avoids being overly prescriptive in its guidance, leaving many areas open to interpretation.
However, we took the view that we could embrace the flexibility to better adapt our approach to the needs of our customers. The GDPR sets out the principles for data protection and privacy, but it was up to us to decide the best way to apply them to our business. The overarching principles of the GDPR are an extension of something already familiar to us – but we knew we needed to adapt to the key principle of accountability. This meant putting the necessary documents together to enable us to be more transparent about our data processing activities and even more rigorous in our risk assessments. And so, our roadmap began.
Clearly understanding your company’s role as a data controller or a data processor – both key terms in the GDPR text – is critical to determining the extent to which you are subject to obligations.
With the previous EU Data Protection Directive of 1995, legal responsibility rested primarily on the data controller, but the GDPR stipulates shared responsibility between the controller and the processor. Under the GDPR, the controller determines the purpose and means of processing personal data, while the processor is responsible for processing personal data on behalf of the controller in accordance with its instructions. Processors now must maintain records of personal data and processing activity, and they have liability for data breaches. Controllers must ensure their contracts with processors include all of the cooperation obligations.
As a cloud provider, we ensure the same privacy and security controls for all customers. Historically, privacy under the umbrella of our Global Information Security Officer, David Tsao, based in Pleasanton, California. A fundamental turning point in our GDPR journey, however, was appointing a dedicated data protection officer (DPO). Under the GDPR, a DPO is mandatory for any entity involved in processing data on a large scale. Not to mention, it is a business imperative and common sense to have a single point of contact to oversee privacy.
A US- and French-trained attorney, I joined Veeva in 2015 as lead data counsel and global DPO. Although data protection had not yet gathered the attention it demands today and the GDPR was yet to be ratified by the European Commission, I gained certification as an EU data protection officer, becoming one of the first within our industry to hold the title. Based in our Paris office, I began to set out a roadmap to leverage our existing privacy and security controls in order to elevate the company's role as a data controller and processor and trusted partner to the life sciences industry.
We hold regular security council meetings with executive management and engineering to continuously improve our security program, and we have a security point-of-contact list with experts embedded in our development teams. However, to bring privacy to the next level, we realized that we needed a critical mass of dedication to the GDPR. We decided to create a network of privacy champions made up of individuals in leadership roles whose jobs demanded deeper understanding and knowledge of data protection, or who demonstrated strong understanding of the regulations. These people would become the points of contact for their teams – and integral to turning GDPR compliance from a potential add-on to an employee’s day job to something second-nature for every individual across the organization.
While it is important that everyone has a basic understanding of what data protection means, not everybody needs the same knowledge for their role. So, the first task was to identify those within the business whose positions required them to understand the GDPR at the level best suited to their work: product managers, customer service managers, and customer support staff, for example. Once these people joined together around privacy, we created content-specific guidance on the GDPR in the context of Veeva’s own values and aligned with industry best practices, which are now available to all teams.
The true measure of GDPR compliance is whether it permeates the culture at every level, not only from a top-down mandate of the DPO or the legal team. We are already seeing this cultural shift. Our privacy champions are not only consolidating knowledge transfer of the GDPR across our organization, but also helping to bridge the gap that can exist between compliance and strategy. And of course, having people who really understand the impact and implications of the GDPR means we can identify and address potential risks across the business earlier – which enables us to be much more proactive in terms of GDPR compliance.
As a company, we are working to communicate both the intricacies and the impact of the GDPR to employees and, in turn, our customers, in a way that makes sense to them. Once individuals think about how they use personal data – and, indeed, how their own data is used – a shift towards individual responsibility and accountability emerges. Training plays a big part in this – considering the GDPR is such a wide, far-reaching topic, tailoring the right information to the right audience is essential.
As DPO, one of my jobs is to help design interactive, online, role-based training that will resonate with each individual in terms of their day-to-day work. Every team is given a slightly different training program, depending on how the GDPR impacts its area of business. We also provide ad hoc, face-to-face training around particular issues, plus events and webinars focused on our GDPR approach.
Interestingly, in a recent TrustArc/IAPP survey[2], respondents were asked to rate the risks of GDPR non-compliance, then identify what actions they could take to mitigate those risks. Investment in training came out as the number-one action item for risk mitigation, addressing 10 of the 11 GDPR-compliance risks. The power of training and reinforcement cannot be underestimated.
The GDPR stipulates that there must be a contract in writing between the controller and processor which clearly sets out the subject matter of the processing and its duration, as well as the nature and purposes of processing, the types of personal data, any particularly special categories of data, and the obligations and rights of both parties. Failure to have a suitable data processing agreement (DPA) in place is a breach of the law under the GDPR.
Contracts, therefore, needed to be revised according to those requirements. The fact that controllers must be very precise with their processors regarding cooperation on a variety of different aspects impacts not only our customers, but also our partners and vendors. So, we have spent a lot of time working closely with these stakeholders to make sure we are aligned, with the required documentation in place.
Throughout the prolonged effort, we have sought to focus on the positive aspects of preparing for the GDPR. This mind-set gave us a chance to step back and look at what we achieved and put our mission into perspective – building the industry cloud for life sciences is bound by a data-centric approach. We can now see a much deeper level of transparency with our customers and those whom they ultimately serve – patients who need life-saving and life-prolonging medicines.
Transparency promotes trust. Creating trust is valuable on so many levels across the data life cycle. To benefit from optimal care, patients need to trust that their healthcare professionals have the most accurate and up-to-date details about treatments they receive. Healthcare professionals need to feel confident that life sciences companies will treat their information in a fair and responsible way. Life sciences companies rely on technology providers to enable them to manage value- and compliance-driven data more efficiently.
Ashley Slavik, CIPP/US, CIPP/E, is Data Protection Officer & Lead Data Counsel at Veeva Systems Inc.
[1] Getting to GDPR Compliance: Risk Mitigation and Strategies – IAPP/TrustArc, Sept-Oct 2017
[2]Getting to GDPR Compliance: Risk Mitigation and Strategies – IAPP/TrustArc, Sept-Oct 2017