With $477 million in fines levied in 2019 for violating GDPR regulations, it's clear that medical device manufacturers and other life sciences companies must implement and maintain a sustainable compliance program.
In 2018, the European Union (EU) enacted General Data Protection Regulation (GDPR), arguably the strongest data protection regulation in the world. Now we’re beginning to see the impact — in 2019, the EU charged companies more than $477 million in fines for violating GDPR regulations.
虽然这似乎只关注欧盟监管rope and its citizens, the overall outreach and impact of this legislation is felt throughout the world, especially for organizations that offer goods and services in Europe regardless of nationality or country of origin. Companies that infringe on GDPR rights may owe compensation to data subjects for material or non-material damage as a result of a GDPR infringement, in addition to the administrative fines.
合规策略至关重要
For pharmaceutical and medical device manufacturers that operate in Europe, it’s imperative to implement and maintain a sustainable GDPR program. Ideally, you’ve already begun the process, as it has immense scope and may take several years to complete, depending on your company’s existing processes for handling personal information.
To be successful, you should build your compliance framework around data subjects’ rights as they are outlined in the GDPR mandate especially as they relate to the collection and implantation of data collection processes. The data controller and data processor have crucial responsibilities and obligations in the context of the new regulation. Be clear on your practices for data protection, which pertains to the protection of unauthorized access to the data (i.e. technology), whereas data privacy pertains to the legal domain, which would be GDPR or the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada, for instance.
Risk assessment, quality assurance and auditing will play an important role in the set-up and ongoing implementation of your privacy and data protection programs. Remember that GDPR is a shared responsibility across the organization, so make sure that you:
- Work with your internal and external stakeholders
- Find systems and tools that fit your organizations’ requirements
- Leverage your existing systems and processes where appropriate
- 全球视角
Know the Terminology
It is important to understand some of the key terms and concepts used in the legislation:
Personal datais a broad term for information related to an individual or “data subject,” that can be used to directly or indirectly identify the person. Examples include a person's name, address or financial information. Related: PI = personal Information; PII = personally Identifiable Information
生物统计学datais personal data resulting from specific technical processing relating to a person’s physical, physiological or behavioral characteristics, which allow or confirm the unique identification of that person, such as facial images or fingerprint data.
数据控制器是一个法律实体,它完全或与他人共同地确定要处理任何个人数据的目的以及要处理的方式。
数据处理器是第三方,由GDPR定义的具体职责。他们代表数据控制器处理数据,包括IT服务提供商和其他类型的供应商处理数据。
Data processingis an automated or manual action performed on personal data, such as collection, organization or recording. For processing of personal data to be lawful under the GDPR, businesses must identify a lawful basis for this action.
同意是欧盟数据保护法的基础概念。通常,这通知数据主题以及从数据主题获取个人资料的许可的必要性。
Data protection authority(DPA)是每个国家的国家权威,负责保护数据和隐私以及执行和执行数据保护法。法国有委员会De L'Informatique et desLibertés(CNIL),德国拥有BundesbeauftragterFürdendenschutzund Die InformationsFreiheit(BFD)。
Data protection officer(DPO) is someone given formal responsibility for data protection compliance within a business. The primary role of the DPO is to ensure that his/her organization processes the personal data of its staff, customers, providers or any other individuals (also referred to as data subjects) in compliance with the applicable data protection rules. Some, but not all organizations are required to appoint a DPO.
Binding corporate rules(BCRS)是欧盟成立的公司遵守的数据保护政策,用于在一群企业或企业内欧盟以外的个人数据转移。这些规则必须包括所有一般数据保护原则和可执行的权力,以确保适当的数据转移保障措施。他们必须由本集团的每个成员具有法律约束力和强制执行。
Cross-Border Processingis the processing of personal data when the controller or processor is established in more than one member state, and the data processing takes place in more than one member state, or processing activities that take place in a single establishment in the EU, but that affects data subjects from more than one member state.
Record of Processing Activities(ROPA)是维护书面文件的义务和处理个人数据的程序概述。处理活动的记录必须包括有关数据处理的重要信息,包括数据类别,数据库组,处理的目的和数据收件人。必须根据要求提供给当局。
数据保护影响评估(DPIA) is required under the GDPR any time you begin a new project that is likely to involve “a high risk” to other people’s personal information. The DPIA, a new GDPR requirement as part of the “protection by design” principle, is required for the following:
- 使用新技术
- Tracking people’s location or behavior
- 系统地监测大规模的公开可访问的位置
- Processing personal data related to “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”
- 数据处理用于对可能具有法律(或类似显着的)效果的人进行自动决策
- Processing children’s data
- 如果它泄露,可能导致数据受试者的处理
Personal data breach意味着违反安全,导致意外或非法销毁,丢失,更改,未经授权披露或访问,存储或以其他方式处理的个人数据。在个人数据泄露的情况下,除非个人数据泄露不太可能导致人们的权利和自由风险,否则本组织必须向监督管理局报告个人数据泄露。当监督机构通知不是在72小时内进行的时,它需要解释延迟。
Understanding the Rights of Individuals
The eight rights consumers have relating to their personal data is viewed by many as one of the key objectives of the new regulations. The data subject, through these rights, can make a specific request and be assured that their personal data is not being unduly collected, shared and or misused for anything other than the legitimate purpose for which it was originally provided. The rights are listed below:
1. Right to be informed指定公司和组织需要通知个人正在收集哪些数据,如何使用它,保留多长时间以及是否与任何其他方分享。必须使用纯语言和收集数据并在收集数据之前简洁地传送此信息。
2. Right of access表示,个人可以提交主题访问请求,该请求义务提供组织提供他们持有的任何个人数据的副本。这项权利提供了数据主题,具有访问正在处理的个人数据的访问,包括获取副本。公司可以根据行政费用收取合理费用。在数据主体通过电子方式提出请求的情况下,除非数据主体另有要求,否则该信息应以常用的电子形式提供。
3.纠正权allows the data subject to ask for modifications to his or her personal data in case the data subject believes that this personal data is not up to date or accurate.
4. Right to be forgotten也被称为“擦除权”,允许吗data subject to ask for the deletion (erasure) of their data. It is important to note that this is not an absolute right. There are other dependencies that may be involved such as the company’s retention schedule/period and requirements from other applicable laws and regulations.
5. Right to restrict processing意味着数据主题可以要求组织限制它使用他/她的个人数据的方式(这可以作为要求擦除数据的替代方案,并且当个人对其个人数据的准确性或它们时,可能会使用不再需要信息,但公司要求它建立,锻炼或捍卫法律索赔)。
6. Right to data portabilityensures the data subject has the ability to ask for transfer of his or her personal data. As part of such request, the data subject may ask for his or her personal data to be provided back (to him or her) or transferred to another data controller. The data transfer shall be provided in a commonly used electronic format.
7. Right to object说,数据主体随时对对象进行对象,以处理有关合法利益或官方权力兴趣/行使任务的履行的个人数据。除非数据控制器证明了令人信服的合法理由来说,数据控制器不再处理个人数据,以覆盖数据主体的兴趣,权限和自由或建立,锻炼或辩护法律索赔的处理。
8. Rights in relation to automated decision making and profilingoffer provisions for decisions made with no human involvement, such as profiling, which uses personal data to make calculated assumptions about individuals. Data subjects have the ability to object to a decision based on automated processing. As an example, using this right, a customer may ask for his or her request to be reviewed manually if he/she feels that there are extenuating circumstances that may require human intervention in the decision-making process.
Conclusion
Almost every aspect of consumer life revolves around data, including smartphones, credit and debit cards, digital identity, social media and government identification; essentially every good and service used involves the collection and analysis of personal data.
Digital data is the future and with the volume of data being collected and stored, data breaches become inevitable. GDPR is designed to reflect the world we are living in now.
We need to incorporate laws on personal data, privacy and consent into the present and plan for the future. After all, technological innovation is not static, which is evident from the growing data protection industry. As an example, in the United States, 14 states have pending bills to strengthen privacy protection for their residents and we should expect this trend to continue globally. Companies must be able to plan for it to be resilient in business.
Want to know more about GDPR adherence? Contact Actalent now.