GDPR Implementation: What You Need to Know
As Veeva Senior Counsel and Data Protection Officer, the General Data Protection Regulation (GDPR) has been on my radar for a long time. I’ve had many conversations both internally and externally with our customers across the globe about its impact. What I’ve come to realize is that GDPR presents a genuine opportunity to improve your business, become more efficient, and create better relationships with your customers by operating in a way that fosters trust and transparency.
Here’s what you need to know about the GDPR – and how to prepare for it.
What is GDPR?
GDPR is an overarching data protection law that applies to all European Union (EU) residents from 25 May 2018. It concerns personal data, which is data that directly or indirectly identifies a person residing in the EU. It applies to any company or entity that markets goods or services to EU residents.
Put simply, it’s a shift to make companies more accountable for the way they process personal data. The previous data protection directive, which dates back more than 20 years, required companies to register with the relevant authorities in each of the markets where they operated. It was complex to manage – particularly for global companies. While GDPR creates more responsibility for organizations, it also allows companies more flexibility to decide how they manage personal data according to their particular business case.
What are the main implications of GDPR?
One of the key changes with GDPR is that it creates shared responsibility and liability between the data controller and the data processor. Previously, responsibility was primarily on the data controller (the entity responsible for collecting the data) but not on the data processor (companies such as Veeva who provide software that leverages data).
GDPR puts the data controller and data processor on equal footing. It strengthens the requirements of processors to process data and creates a joint liability in the event of any violation. There are strong penalties for non-compliance that can amount to 4% of global annual turnover or €20 million, whichever is greater.
How can you prepare for GDPR?
One of the requirements under GDPR is that each organization should have a data protection officer. So if your business doesn’t have a data protection officer, you need to appoint one. Then, you can start to discuss the way your business processes data and how you want to demonstrate compliance. Having stakeholders from different parts of the organization is critical in those discussions as data protection impacts sales, marketing, HR, and many other internal processes. It really is a business-wide issue.
My advice is to consider GDPR as an opportunity to assess how your company processes data. Data in the past has been stored in various siloes. GDPR can be an internal housekeeping exercise to identify what kind of data you have and what kind of data you need. There is a principle of data minimization under GDPR, which means there’s no reason to keep more data than necessary for the purpose for which it was originally collected.
Once you do this data-mapping exercise, you can see where data has not been used to its fullest potential. This will be an advantage to GDPR compliance: the opportunity to better use your data, to better engage with your customers, and to reduce unnecessary data.
What is Veeva doing in relation to GDPR?
We play an interesting dual role as a data controller for Veeva OpenData and Veeva Oncology Link data products and as data processor for the rest of our product suite. One of the major changes under GDPR is to make sure that our obligations of transparency, breach notification, record-keeping, and data transfer are all very clear in our customer agreements. So one of the main things we’ve been doing is working with our customers to make sure that we are aligned on GDPR.
Where can you learn more?
At our Veeva European Commercial & Medical Summit later this month, there will be two sessions on GDPR. This includes a deep dive workshop where we’ll discuss grey areas within GDPR and brainstorm possible solutions to hotly debated topics such as data retention and breach notification. I look forward to seeing you in Madrid. And please invite your data protection officer and legal counsel. More information on registration is available here.