For Life Sciences Companies, GDPR is Now Law.  Have you made a ‘Good-Faith Effort’ to comply?

For Life Sciences Companies, GDPR is Now Law. Have you made a ‘Good-Faith Effort’ to comply?

The General Data Protection Regulation (GDPR) consolidates existing European state-based laws into a single set of requirements for the collection and processing of personal data of individuals within the European Economic Area.

The GDPR took effect on May 25, 2018 and applies to companies established within and outside the EU that process personal data of EU-based individuals, including U.S.-based companies that process such data and offer goods or services to individuals within the EU, and/or monitor the behavior of data subjects within the EU.

Understandably, it may be difficult to know how GDPR affects your organization. In this blog post, we offer six scenarios to understand what determines if a company is “in scope for GDPR.”

In the life sciences industry specifically, GDPR applies to you If you process personal data of a resident of the EU.  This can occur from but is not limited to the following:

  • Conduct clinical trials in the EU; or
  • Provide targeted pharmaceutical advertisements within the EU to draw EU residents to the US for goods or services; or
  • Export clinical trials subject data from the EU; or
  • Process Adverse Event information for EU residents
  • Collect information directly from EU residents through patient engagement and connected health and connected device programs
  • EU resident customer service operations

Use anonymized data related to clinical trials performed in the EU; process or collect genetic or biometric data from individuals in the EU; or have connected health programs that collect sensitive data for EU residents.

What is the difference between HIPAA and GDPR?

There are similarities between GDPR and the U.S. Health Insurance Portability and Accountability Act (HIPAA), and being HIPAA-compliant can go a long way toward meeting the GDPR requirements. However, GDPR is far more rigorous and comprehensive, and adherence to HIPAA standards does not equate to compliance with GDPR.  Important differences include those described below.

Coverage Pertains to U.S. residents Pertains to EU residents
Protected Health Information (PHI) Information that can lead to patient identification, including but not limited to name, date of birth, social security number, telephone number, full-face photos, biometric data Has a broader reach and includes “sensitive personal data” such as racial or ethnic origin
Consent No such requirement but data must be stored and transmitted in a secure manner Mandates patient consent to process and store personal data
“Right to Be Forgotten” No such requirement A patient may request a hospital to erase his or her patient record
Third-Party Handling Limited information may be shared without patient consent Requires patient consent
Data Breach Reporting Notification within 60 days if the breach involves 500 or more individuals; otherwise, within 60 days of the end of the calendar year in which the breach occurs


Note: Many U.S. state laws have adopted HIPAA principles and require notice privacy in as few as 14 days.

Notification within 72 hours of any personal data breach


What are the risks of not being compliant?

The GDPR can impose stiff fines for non-compliance. The amount of the fine depends on several factors, such as the scope of the data breach and whether it was unintentional or negligent but could reach 20 million euros or 4% of annual global revenue.

The financial risk resulting from a data breach is heightened under GDPR because data owners are liable if one of their partners is deemed to have failed to meet the GDPR obligations. Thus, companies now face the burden of validating that all third-party entities that access protected data are also compliant with GDPR.

Mitigation of risk: Meeting the “Good Faith Effort” standard

When the International Association of Privacy Professionals surveyed European and U.S. organizations, only 40% were expected to be compliant with GDPR by the May 25 deadline. However, comments from EU data protection authorities indicate that companies not in compliance can mitigate against the consequences and sanctions by demonstrating a good faith commitment to meeting GDPR requirements.

Based upon our analysis, the basic components of a good-faith commitment should include the following.

  • Enterprise Assessment with Gap Identification: Identify possible risks, vulnerabilities, and control effectiveness, and put in place an action plan to address gaps in a timely manner. Involve key stakeholders and a Data Protection Officer in this process. Note: A often overlooked channel in compliance assessments is the mobile platform which highlights the need for a business-process-focused assessment, not just an IT risk analysis.
  • Remediation Program: Create a diverse set of projects and activities to address assessment gaps. The program should be sufficiently and appropriately staffed to ensure remediation can be completed in a reasonable amount of time.
  • Demonstrated progress: While a plan is necessary, demonstrated progress in achieving your compliance plan can be critical to satisfying GDPR regulators that a good-faith effort is underway. Evidence of such progress should include a showing that:
    • You have determined which EU state regulator will be your reporting agency in the event of a breach.
    • You have appointed a Data Protection Officer to oversee GDPR compliance (your current HIPAA privacy officer may be appropriate for this role).
    • You have implemented a patient consent process for current and past information collected.
    • You are reviewing and refining third party contracts to address the new compliance standards with an implementation plan outlined; this may coincide with contractual renewal or may require acknowledgement of renegotiation if the contract is long term).
    • You have prioritized compliance efforts to critical third-party providers such as CRO’s, customer service and pharmacovigilance providers.
    • You have updated internal and third-party data breach policies to meet the GDPR requirement of 72 hours notification.

Next Steps

The important takeaway from this article is that making and documenting a good-faith effort to achieve compliance with GDPR is critical to avoiding harsh financial penalties for any inadvertent PHI data breaches that may occur down the road.

Contributing Authors: Vishnu Dwadasi, Roland Nassim, Alyssa Nagy, Danielle Caldwell, and Mike Chada

Phone: 312-602-4000
222 W. Adams
Chicago, IL 60606
Show Buttons
Share On Facebook
Share On Twitter
Share on LinkedIn
Hide Buttons