GDPR seven years later: Compliance in the pharmaceutical industry

Data privacy protection took a giant leap forward on May 25, 2018, with pharma leaning in to ensure it was on top of this ever-changing data world.

Ever since the General Data Protection Regulation (GDPR) came into effect, the industry has developed more robust data protection frameworks while continuing to navigate unique compliance challenges. As Christie Dougherty, associate director of ethics and compliance at Alnylam Pharmaceuticals, noted at a recent Pharmaceutical Compliance Congress panel, many companies operate outside of the US, so keeping up with GDPR, as well as other countries’ similar regulations, is a challenge. Christie Dougherty, associate director of ethics and compliance at Alnylam Pharmaceuticals

“This is why people typically will think of privacy as being an evolving landscape, especially in the US…in general, 79% of the world’s population is covered by some kind of data privacy law.

Specifically, for pharma, the unique GDPR compliance challenges surface around the following:

• Consent management: Article 9 of the GDPR requires specific consent for sensitive personal data, including genetic data, biometric data, and data revealing ethnic origin.
• Clinical trial data: Pharmaceutical companies must balance regulatory requirements for clinical trials with GDPR compliance. A complete interpretation of the needs of clinical trials and research under the GDPR was provided by Viedoc in 2018, when the regulation came into effect, including the roles of CROs and sponsors.
• Data security: Organizations are required to implement robust data security measures to protect sensitive patient information.
• Healthcare Professional (HCP) data management: According to IQVIA, life sciences companies are obligated to capture and retain the consent of each HCP with whom they interact digitally and confirm HCP identity upon each instance of access to their digital channels.
• HCP disclosure requirements: When relevant, payment or transfers of value made directly or indirectly to HCPs must be disclosed when the HCP can be identified, according to EFPIA.

This is only a short list. According to a recent Research and Markets report, the GDPR services market was valued at $3 billion in 2024 and is forecast to reach $16.8 billion by 2033, indicating significant growth in compliance services. This is based on increasing data breaches and cybersecurity concerns; consumer privacy awareness and expectations; and the aforementioned globalization of businesses.

Dougherty shared at the conference that she was with Alnylam when GDPR went into effect. “From the very beginning, we have used GDPR as the [data privacy] framework. And I think that that has served us well as our organization and our compliance and privacy teams have grown,” she said. She added that the many different state laws in the US are all framed slightly differently, but the core principles stated in GDPR remain the same.

“GDPR was written in a way that it is principles based. And I think that focusing on what the principles are and that were important to the organization makes it easy [for us] to be flexible and agile,” she said.

A note on cybersecurity

While GDPR sets the principles for data privacy protection, cybersecurity also falls under a data breach concern.

Whether a pharma company puts data privacy is placed under a legal, privacy or compliance department, Dougherty said, “One of the most important things when looking at a data breach and potentially reporting to a data protection authority or to the SEC under the cybersecurity rule, you want to consider all of the discovery that goes on in a data breach investigation, and those communications should be protected by attorney-client privilege.” She said that is not necessarily what a compliance team can offer, but depending on the scale of the breach, there should be communications and legal protections as well.

Learn more about GDPR and data privacy at an upcoming compliance event.

Quotes have been lightly edited for clarity.

Header image: Depositphotos@Funtap