On the 25 May 2018, the GDPR came into effect across Europe, changing the rules for how personal data is handled and protected throughout the continent. Regularly dealing with personal medical records, the life science industry has been one of the market sectors that have been most affected by the change. Two years later, what do we know about staying compliant, and what’s the best way to do that?
The GDPR - a brief background
The GDPR is European legislation designed to take over from all other data protection laws and restrictions across Europe. It imposes new rules while preserving some familiar regulations, to protect consumers from online abuse. It covers data control, access and security measures that will make cyber-law more consistent across Europe and simplify the law for businesses across the union.
Each country has its own authority responsible for the GDPR’s regulation and compliance. In the UK, for example, the Information Commissioner’s Office (ICO) will take up this responsibility.
As with previous data protection laws of its kind, the GDPR focuses on how personal data is stored, protected and used.
What counts as personal data according to the GDPR?
According to article 4.1 of the GDPR,
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.’
In other words, personal data relates to any information that may relate to a private individual such as an email address, phone number, ID number or physical address, to name a few identifiers. The definition of personal data can thus be expanded to medical records of patients for the life science industry.
An Obligation of Protection
The GDPR puts the responsibility of protecting personal data, like medical records, in the hands of the organisations who manage them. Life science companies now have to safeguard the personal data of individuals.
When or if a breach in security occurs, the organisations must notify the supervisory authority within 72 hours. Failure to do so could result in a fine up to 20 million euros or 4% of global turnover.
In addition to this, consumers can use the GDPR to claim compensation from data controllers or processors who have infringed on their rights or the regulation for damages they suffered.
The Challenges for Life Science Organisations
Life science organisations are in a particularly precarious position when it comes to the consequences of protecting personal data, due to the nature of medical records and the risk associated with being high-value targets for cybercriminals.
The nature of medical records and the GDPR
Medical records are, by their very nature, highly personal - and the GDPR takes this into account.
When assessing how grave an offence committed is, the GDPR takes into account:
- Nature, gravity, quantity and duration of the offence
- Whether the offence was intentional or a result of negligence
- Steps taken to mitigate potential damage
- How responsible the regulator was about the non-compliance
- Adherence to a particular code of conduct
Due to the personal nature of medical information and the sheer amount of records that are dealt with every day, the potential for thousands of severe offences is something that life science organisations have to contend with.
Life sciences are a prime target for cybercrime
To complicate matters, life sciences are among the most threatened industries. High revenues, extensive expenditure, highly sensitive intellectual property, trade secrets and a near-total reliance on technology make them a prime target for cybercriminals.
According to Deloitte, almost 20% of companies in the pharmaceutical sector have been attacked between 7 and 15 times, and the UK Government identified the life science industry as the main target of IP theft.
When it comes to the GDPR, life science organisations who are the victims of cybercrime still have to own up to the consequences. In the eyes of the GDPR, these organisations should have taken extra care to protect personal data, which increases the likelihood of a hefty fine.
The best way life science organisations can protect themselves
Ultimately, it is the responsibility of life science organisations to adhere to the new GDPR, and accountability of those regulations will be essential. Provided they can offer evidence of their intentions to comply with the GDPR, regulators should look more favourably upon any offences the organisation incurs.
The single best way life science organisations can protect themselves from cybercrime and stay GDPR compliant is by controlling their data, where it goes and who sees it. Next-Generation Internet services such as Anapaya’s offer this control and additional security measures to help stay compliant and secure.
How Anapaya helps
Anapaya’s connectivity solutions offer life science organisations the ability to select which networks their sensitive medical data passes through. For example, if they wish to avoid certain geographical areas, they have the option to circumvent them or avoid poorly regulated locations and networks entirely.
Anapaya’s solutions are also completely immune to routing attacks (BGP hijacking) with information only being sent through legitimate networks. This allows organisations dealing with sensitive information, such as pharmaceutical businesses, peace of mind whenever they connect, transmit or receive data.
Anapaya also mitigates potential GDPR offences, addressing three of the five points of consideration when assessing a data breach, namely:
- The steps taken to mitigate potential damage
- How responsible the regulator was about the non-compliance
- Adherence to a particular code of conduct
These benefits mean that any organisation seeking protection from cybercrime and with a requirement to adhere to the GDPR would do well to protect themselves by using Anapaya’s Next-Generation Internet services. Businesses who participate can now benefit from unprecedented security, reliability, compliance and control.
Stay compliant, stay secure
Cybersecurity is of top concern for life science organisations today. It can mean the difference between a thriving business and a defunct enterprise. Anapaya’s Next-Generation Internet services are the key to staying compliant with the GDPR and safe from cybercriminal activities.
If you would like to gain control over your data, stay compliant with the GDPR and protect yourself and your patients from cybercrime, explore our website to find out more or contact us today.
Olivier Moll
French in his core, Olivier loves cooking and traveling with his family.