The event organized by BMI SYSTEM, DP Conformity and Advanced QA on the 9th of March on “The 2016 General Data Protection Regulation (GDPR)” was the opportunity to introduce its main principles and the new requirements for pharmaceutical companies.
Why a new legal framework? What is at stake?
In France, the regulations on data protection refer to two regulations, one is French (IT and Data Protection Act 1978) and the other is European (GDPR). Why an update at the European level? There are two main reasons for this: because the 1995 directive was transposed by the Member States on various occasions, and because of major technological and societal developments. More precisely, harmonization of the rules was necessary for better legal security. In addition, a high level of protection for European citizens was needed to meet the challenges of today’s digital age. After four years of debate, this new regulation was adopted by the Commission, the European Parliament and the Council of the European Union in 2016. The dense text (173 recitals, 99 articles, 88 pages) contains 50 references to provisions at the national level. In addition, France maintains its 1978 Data Protection Act. If the new regulation is applicable as from May 2018, the French National Commission on Informatics and Civil Liberties (CNIL) considers that it is already applicable and imposes, from now on, to apply its principles. The following example and reminder highlight, on the one hand, the challenges of data protection and on the other hand, the importance of the new regulation – which provides a framework for this – and its strict follow-up.
• Yahoo’s large number of advertising partners (over 400) combined with data processed by Facebook, give an idea of the extent of data processing that exists today, in all sectors, whether or not connected.
• CNIL’s data protection obligations concern individuals personally, as employees but also as citizens, consumers, parents, etc. This reminder is a lever to convince employees, within companies, of the interest to comply with and to follow the regulations.
The main principles of the European Regulation
• The extraterritorial application of the Regulation is increased: a company is subject to the European regulation when it is established in the European Union but also when it offers services and goods in Europe or when it follows the behavior of citizens of the Union European Union. For example, within the framework of the research, a pharmaceutical laboratory based in the United States and responsible for treatment (RT) is subject to each national law in the European Union.
• In terms of the legal basis for processing data, the concept of consent is strongly reinforced. Thus, where the legal basis is the consent of the person, the obligations are more stringent: the active voluntary approach of the person, the obligation to prove the consent, the establishment of traceability and the preservation of consent.
• There is a wide definition of health data. In addition, a provision of the Regulation refers to national laws: it is provided that Member States are in a position to maintaining or introducing additional conditions for health data.
• The basic data processing principles of the Data Protection Act (I & L) are taken over, with an obligation of transparency. Thus, for a treatment to be considered compliant, absolute transparency is required regarding people concerned. In addition, the data must be limited to the finality (a question to be asked continually: “Is this data is absolutely necessary to do my job properly?”).
• The security and the confidentiality of data, which are obligations in the I & L Act, are becoming the founding principles.
• The RT is responsible for compliance with these principles and must be able to demonstrate it.
• Compliance with subcontractor (ST) compliance and safety instructions, the Regulation adds many new obligations, with a division of responsibilities.
• The designation of a Data Protection Officer (I & L correspondent) becomes mandatory in some cases (regular large-scale systematic monitoring, large-scale processing of particular categories of sensitive data). This principle concerns, for example, companies that deal with pharmacovigilance data or who are promoters of research. The delegate will be subject to professional confidentiality, attached to the highest level of management, with an additional mission of compliance control.
What obligations for those responsible for processing?
• Principle of responsibility for the regulation: obligation to comply with the processing regulations and to be able to prove compliance.
• Data protection from the conception: obligation to put in place the appropriate technical and organizational measures, from the conception and throughout the processing period (and therefore every update of the processing or regulation). This means implementing the principles of data protection in an effective manner, with the guarantees necessary to meet the requirements of the Regulation and to protect the rights of the data subject.
• Default data protection: Default processing of data at any time, from the conception of the processing to the removal of the data. This means minimizing as much as possible the amount of data collected, the extent of processing, the shelf life and the accessibility of the data.
• Data security: as a basic principle, security remains an obligation. The establishment of appropriate technical and organizational measures to ensure a level of security and confidentiality appropriate to the risk (the risk to the privacy of individuals must be identified in relation to its seriousness) is therefore mandatory. Note that the documentation is essential here (in order to explain the choice of this measure, etc. to the person concerned or in case of control).
• Notification of violations of personal data, the CNIL and the data subject in certain cases, within 72 hours: obligation to transmit a certain number of information such as the impact for people, the reasons for the violation, measures taken, etc.
• Relations with S & T: obligation to have a subcontracting clause with the S & T of personal data (the clause indicates, that the S & T establishes the appropriate security measures).
What about human rights?
• The Regulation introduces new rights such as the right to limit treatment (where a person has exercised his / her right of access and observes errors, for example, treatment is limited, “frozen”, time to make checks required). As regards the right to information, new elements must be transmitted to people concerned (legal basis for the treatment, legitimate interest, etc.).
• Individuals have the right to introduce a complaint with a supervisory authority, a right of recourse against a supervisory authority, a RT or a ST, the right to obtain compensation for the harm suffered. There is thus both a strengthening of the obligations of the RT and an increase of the rights of people.
What powers for the authorities?
There is a shift from a formalities regime to a more efficient compliance regime. It is a transfer of responsibility.Foundation of this new regime: the register of treatment activities (internal census of all existing treatments) and the conduct of impact analyzes.
In conclusion: the CNIL will, in principle, receive fewer formalities but this will release time to control ex post; It will therefore be closer to treatments, closer to the public, more efficient.
Claire GREVOT, Freelance Journalist