Skip to main content

The GDPR and the supply chain

A view of the Pharmaceutical world

Paul Malyon 7 minute read GDPR

I was recently lucky enough to present to a group of Pharmaceutical organisations at an industry event in Södertälje, Sweden. They were concerned about the arrival of the GDPR and what it could mean for the data held within their supply chains – which are complex to say the least!

I thought it would be worth summarising my discussion with this group as the issues facing the pharma industry will be similar for any organisation that has a complex supply chain of ingredients, parts or products – for example, manufacturing and retail.

Personal data is personal data

The main question that came up was around the ‘Rights of the individual’ that the GDPR requires organisations to be conscious of. Erasure, access, portability, rectification and so on. The organisations represented at the event had questions around whether their business partners should be able to request access to their data or have it erased – in short, they should have the ability do this. An individual who is a business person is the same as an everyday consumer in terms of the rights they have.

Clearly, enabling ‘Subject Access Requests’ (SAR) and being able to explain what is done with data (including who it is shared with) is a challenge for many organisations. The complexity of the pharma supply chain is likely to require a great deal of work to understand the data flows, policies and processes that currently govern personal data and whether any changes to these (or the supporting technologies) are required to both honour the rights and minimise the burden on the business.

Rights and Principles

By now, most readers will know about the ‘Rights of the individual’ and the key Principles of the GDPR.

Of interest to the attendees were those rights that would likely require some investment in technology and processes. Key thoughts and questions included:

  • Are we informing our supply chain partners of what we do with their data?
  • Can our supply chain partners access their personal data easily?
  • What about the conversation notes in our CRM, do these count in the event of a SAR?
  • Should we be pro-actively updating data to avoid errors in the event of a company moving or changing in some way?
  • Can people in our supply chain object to us using their data for one purpose or another? How would that work in practise?
  • Are we minimising data on a regular basis to remove old and potentially inaccurate information?
  • How long can we store data for?

It’s going to be up to each organisation (and perhaps industry where similar suppliers or data standards are used) to decide how to prioritise the rights of the individual where this was perhaps not a priority in the past. In this scenario, the way that the GDPR now encompasses B2B data means some work will need to be done.

Will a predominantly B2B sector like the pharma industry invest in the kind of tools that we are becoming familiar with in the B2C space such as preference centres, permissions platforms and customer data portals?

That remains to be seen. I certainly got the sense that this is a debate that needs to be had in the industry but that, in the short term, they will be putting focus on their existing tools, training and processes to ensure they can honour the rights of the individuals whose data is within the supply chain. They may not receive as many requests for data access, erasure etc. as your average consumer facing brand but the fact that this is a new requirement for them will mean that disruption to business as usual is a risk.

Controllers and processors

One of the other areas that may need some action in pharma and other industries is the issue of data controller, data processor and contracts between the two.

In a pharma supply chain or medical trials scenario, data is shared amongst a large network of organisations with the contractual governance of the data potentially being patchy – relationships between businesses, labs and other parties have been around for longer than some of the data privacy considerations that are now critical in a GDPR world. Who collects the data? Are they the controller? Is it clear who the processors are, what purposes they can use the data for, and what happens to the data once their part has come to an end?

Is there a risk that the personal data of a trial subject could be held by a lab long after the trial is complete and the drug has launched? Are there any implications to their privacy?

If contracts don’t have a clear definition of which entity is the controller, this could make things complicated down the line in the event of an erasure request. Also, under the GDPR, processors also have a duty to manage data in a compliant manner. Clearly, there is much to consider and the organisations I spoke with have this contractual piece high up their agenda – thankfully, as their market is heavily regulated, they are used to these kinds of challenges.

Other data issues

More widely, there could be risks posed by the personal data of patients used in clinical trials – whilst not central to the event I attended, it certainly came up in my reading around the subject. For example, could the demographic details used within trials lead back to an individual when combined with other information? Are the right legal bases in place to control use of the data? Can an individual object further down the line? Could the unique ID used on a pack of drugs lead back to the patient? There are a wide range of questions that the industry needs to tackle both from the professional side (i.e. supply chain supplier data) and medical side (i.e. trials and patient data).

Additionally, pharma companies will need to consider how they process the data of healthcare professionals and whether the correct legal bases are in place for the processing and any eventual marketing of new products to them.

In short, as with any industry, the GDPR poses some questions to pharmaceutical companies. Their uniquely complex supply chain means that work will be needed across the globe – this could be challenging. They also need to consider what personal and sensitive data may be present in their own and their partner’s data estates – business people, healthcare professionals and patients.

Preparation into BAU

As I write this, GDPR enforcement on the 25th May is imminent, yet it’s clear that the journey is still to be completed. What I found most interesting during my time with these organisations is that whilst knowledge of the GDPR is strong in consumer facing areas of businesses, not everyone has had the same level of training and awareness.

B2B scenarios still need to be fleshed out, supplier data may not have been looked at in as much detail as consumer data, data accuracy in the B2B arena has not had the historic attention that it could have had. In short, the people on the ground in supply chains may need additional support to bring their parts of the business into line. This even goes for industries that are used to regulation.

It’s not the end of the world – taking pragmatic steps to identify the gaps in process, training, technologies and data accuracy can still help flag those priority actions. In my world of data quality, a Data Readiness Assessment should form part of that initial scoping exercise or as a check in on progress so far.

Please note that while we can support businesses with their preparations for the GDPR, we cannot offer legal counsel or compliance advice.