We admit the header sounds a bit eerie, with a nod to the battle of Normandy and all. The truth however is that, with the General Data Protection Regulation (GDPR) coming into force as of May 25th 2018, there isn’t much time left to take the necessary measures. With fines up to €20 million or 4% of the organization’s global turnover, compliance (or failing to do so) could indeed turn into a matter of life and death. The good news is that ‘auxiliaries’ have already arrived.
Member card or IP address
Data protection is closely linked to data integrity, a line of business Vivenics has been experts in for years. We already have a lawyer in our team, Roy Verhoeven, and we recently decided to expand our services by recruiting Vincent Corbesir, a certified Data Protection Officer (DPO). (Vincent is on the right of the picture, Petrik Cuijpers in the middle and Roy on the left). Vivenics will help organizations both inside and outside the pharma business prepare for the GDPR. Says Corbesir: “GDPR is designed to give residents of the EU more rights, control, and awareness about how their personal information is used whenever they submit it to public and private organizations. Data is defined as any information (either digital or on paper) about a person that can be used to directly or indirectly identify that person. This may even include things such as a person’s IP address or a discount card issued by your local supermarket. To protect all these data from being used for the wrong reasons or from ‘going public, a systematic approach is obviously required.”
Data Protection Officer
“First of all, organizations need to assign data processors and data controllers. Processors process or physically manipulate personal data on behalf of data controllers. Processing has a wide definition and includes the “… collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation/reading, [and] use…” of personal data. Data controllers in turn determine how and why personal data should be handled by data processors. Data processors and controllers may not be part of the same organization. DPOs on the other hand are consultants who specialize in ensuring an organization is compliant with GDPR. All processes that involve personal data need to be captured in a registry. That registry can be audited to prove that the organization is compliant with all regulations governed by GDPR. DPOs also act as a point of contact for the supervisory authority. They are already mandatory in government bodies, while appointment of DPOs in other organizations will depend on factors such as size and complexity.”
“At this moment it is quite doubtful whether there will be enough DPOs to prepare all organizations in the months to come. For structuring, managing and controlling purposes, establishing and maintaining an adequate register of all actions that apply to data capture and protection is essential. Once this register is operational, it should be handed over to a data coordinator. In daily practice, this will most likely be the IT department. As of May 25th, Data Protection Authorities (DPAs) may demand access to this register or any system designed to comply with the GDPR guidelines. Ultimately, GDPR is designed to prevent personal data from ending up in the wrong hands, either deliberately or as a result of theft or data leakage. The latter is heavily penalized if not notified within 72 hours, apart from the need to inform all data subjects involved on the leakage.”