Why Master Data Management is the Foundation for GDPR Compliance
As organizations improve their processes to comply with the General Data Protection Regulation (GDPR), let me first say this: there is no silver bullet.
For many life sciences companies, the requirements for transparency, privacy, and consent present a significant operational and compliance challenge. However, having accurate and clean customer master data is an essential starting point – and having a modern master data management (MDM) system is the foundation for GDPR compliance.
Under GDPR, customer master data that life sciences companies process and manage for sales and marketing purposes typically falls into the category of “personal data.”
Ensuring that this information is always accurate and up-to-date is critical to GDPR compliance, but many companies still have fragmented customer data. Often customer profile data is inputted and managed from multiple sources and held across multiple systems, increasing the likelihood of duplicate, inconsistent, or inaccurate data – all of which create a compliance risk with GDPR.
Visibility of where, how, and why HCP personal data is used by any downstream systems and the ability to link this information to the source are critical to meeting GDPR requirements. If your customer master data is inaccurate in the first place, then it is nearly impossible to be GDPR compliant.
Let’s consider a few examples:
No integrated master data
The right to erasure, or “right to be forgotten,” is a key requirement under the GDPR. For life sciences companies, this means that if requested by an HCP, they must delete all personal data for that individual. Without integrated master data, life sciences companies have little or no visibility of which downstream systems are processing an HCP’s personal data. This means that, should an HCP instigate his or her right to erasure, it will be difficult to guarantee that all personal data has been removed from all of your systems.
Data subjects also have the right to rectification under GDPR, which means that life sciences companies must rectify inaccurate or incomplete data on request of an HCP. If your master data is fragmented across your systems, the chances are high that you will not be able to properly correct all records.
Outdated, inaccurate, or duplicated customer reference data
Under the GDPR, individuals are granted right of access, which means that on request of an HCP, life sciences companies must provide a copy of the personal data in their systems. Needless to say, if your master data is outdated or inaccurate, you will provide the wrong information. Should you have unresolved duplicates, it will be almost impossible to decide which record should you provide back to them.
Meeting the GDPR requirements for consent capture and the right to be informed will also be difficult: with unresolved duplicates, life sciences companies risk sending multiple notifications to the same HCP or capturing inconsistent consent information.
It’s clear to see that without the right tools and processes in place to enforce data governance, compliance with GDPR will be difficult. So, what’s the solution? While an MDM system is not the silver bullet, it can be an integral piece of the puzzle. By providing a “single source of the truth” for customer master data, using proper governance and data access controls along with strong data matching and merging capabilities to prevent data duplication and inconsistency, an MDM platform can provide a solid foundation for building your complete GDPR compliance solution.
In part two of this blog, I will explain how the Veeva Network Master Data Management solution provides foundational features and functions that support your GDPR compliance. I will also look at why having an MDM platform that is leveraging consistent, accurate data sources, and integrated with your CRM solution is also important for your GDPR compliance.