How healthcare market research agencies should tackle GDPR ?
An interview that Data Privacy Professionals has given on January 28 2018 (“data privacy day”) regarding GDPR impacts on healthcare market research agencies
Introduction
Within the framework of the worldwide data protection day (28th January), a healthcare market research agency highly concerned by the compliance toward the GDPR has questioned itself on the effects of this new regulation on Market Research agencies. As part of this reflection, Pascal Thisse expert in Data Protection for 8 years and CEO of “Data Privacy Professionals” has kindly answered their questions.
Interview healthcare market research
Healthcare market research agency:
GDPR (General Data Protection Regulation) will apply to all companies from May 25 2018. My first question is what are the main challenges, in your view, for healthcare market research companies in the context of compliance with GDPR?
The first one is that data processing is part of their core activities and not as an ancillary activity. The second characteristic is that such companies process personal data on a large-scale. The third characteristic is that they process special categories of personal data, commonly called “sensitive data” (e.g. healthcare data). The last characteristic is the potential processing of personal data of vulnerable persons – i.e. children, patients …
So we have four characteristics.
The first challenge considering these four characteristics is that a Data Protection Officer (DPO) is mandatory.
Healthcare market research agency:
This is an obligation then. Those companies must have a DPO.
Data Privacy Professionals:
Yes, they must have a DPO. The DPO is mandatory in this case. It is relatively clear.
The second challenge is that GDPR will be effective from 25 May 2018 onwards. That leaves us with 4 months. They must launch a data privacy program, within a relatively short period of time, and in line with regulations, including GDPR.
Therefore, this is the second challenge, i.e. the timeframe is relatively short and a substantial effort is required for launching a data privacy program. They will need to do that quickly.
Healthcare market research agency:
Are we talking about companies, or company profiles, that present an increased, or at least a slightly more important risk than other types of companies?
Data Privacy Professionals:
Yes. There is no doubt in that regard. The first risk, is the financial risk to start with. In case of non-compliance, the fine might be up to 4% of the overall company’s turnover or 20 million Euros (whichever is higher). With such companies, the sanction might be made public by the data privacy authority. That would severely damage the company’s reputation.
Another point is the operational risk. The people involved (data subject) can more easily make requests such as access (right of access), rectification (right to rectifications), personal data erasure (right to erasure / right to be forgotten) from May 2018. Therefore, data subject requests could speed up from this date.
For this, the companies will need to have the adequate resources, in terms of IT and/or human resources, in order to respond to requests.
This is one of the major risks.
To conclude, the financial risk is related to the operational risk. Is this something that will be specific to market research? Yes and no… It is specific in a sense that market research companies process sensitive data. A non-conformity could definitively damage their reputation, namely in case of “data breach”. I think that is the main risk.
Healthcare market research agency:
Based on the data gathered, we talk about healthcare data, and companies communications with healthcare professionals, sometimes with patients, and regarding diseases that are “sensitive” and with sensitive characteristics… Is this also an additional risk compared with another type of activity?
Data Privacy Professionals:
Regarding the sensitive data, the regulator has not differentiated between healthcare data, that I would call benign, and something more important. By benign, I mean something like taking a very common medication like Doliprane. There might be more important things like someone suffering from Multiple Sclerosis or a rare disease, etc. Such differences are not explicitly made in the regulation when it comes to healthcare data.
Perhaps it is worth considering, in terms of taxonomy or typology/classification of data, that companies make the distinction.
Healthcare market research agency:
Which highlights the importance of the DPO in the company… or the DPO’s role rather.
Data Privacy Professionals:
Absolutely.
Healthcare market research agency:
We have listed the different challenges and we mentioned the risks for these companies – what would be the first piece of advice that you would give personally to these market research companies specialised in healthcare, in order to “live through” the GDPR properly?
Data Privacy Professionals:
The first piece of advice is that, given the risks we have just mentioned, it is clearly necessary to seek help from consultants specialised in data privacy. Data protection is not something we can improvise. It also covers different aspects. There is a legal aspect; a technical/technological aspect (including the knowledge of the IT system); and an operational aspect by embedding data privacy principles/processes within the organisation. They need to have the relevant people able to understand the data privacy concepts.
The second piece of advice is that they should not think that 25 May 2018 is the end of the story concerning their involvement regarding “data privacy” matters. It is the opposite actually. This is the beginning of the story regarding “data privacy”. They must keep that in mind. If May 25 2018 remains an important deadline, it should be viewed as the beginning of the new “data privacy” paradigm and associated compliance.
Healthcare market research agency:
In a sense what it is going to change… the behaviours, the way of working within the company, right?
Data Privacy Professionals:
Absolutely. It means that employees might have to change their attitude regarding the way they process personal data. Therefore, the overall environment is going to change. They really have to understand this notion of GDPR as something that will remain with the company all the time. It is going to be a new challenge for the company, but it will remain this way forever. It is not something that will stop. It will remain in place.
Healthcare market research agency:
Do you have other comments or pieces of advice that we have not covered, and that could be added and be of interest to all market research companies?
Data Privacy Professionals:
Perhaps a last piece of advice: personal data is clearly an intangible asset of a company. It must be seen as such. They must capitalise on this, while complying with regulations, especially regarding GDPR. The right balance needs to be found. That is why a DPO is needed in order to find the right balance regarding capitalising on personal data and using them wisely, whilst as the same time making sure the company respects regulations.
|