Blog
Data Privacy, Consent Collection and Management: A Roadmap Toward Full Compliance
Feline Smeenk, Global Compliance Manager
Mar 28, 2019

Imagine losing the ability to engage with your audience because you don’t have documented consent to communicate. This is a situation that businesses are actually facing in response to global data privacy requirements, such as GDPR and a number of regional laws being enacted around the world.

The EU General Data Protection Regulation (GDPR) went into effect in May 2018 with new requirements applying to companies that collect, store or use personal data of E.U. citizens. While GDPR is already enforceable law, the new regulation is still top of mind for many data privacy and compliance officers, who are struggling to meet the law’s demanding and complex requirements.

GDPR was enacted to strengthen data privacy rights for EU citizens. But what does it mean for countries outside the EU? The short answer is - If your company does any form of business with EU customers, then GDPR will apply if you store, process or share their personal data.

Under GDPR, consent is one of the legal bases for lawfully processing personal data. The guidelines set a high standard for consent and require that it must be freely given, specific, informed and unambiguous. For organizations, the implication – among others – is that they need to have the ability to store and manage the consent for the use of personal data. This includes the ability to allow individuals to access, modify, or withdraw their consent at any time.

The management of consent introduces complexities for organizations, including how to organize the operational processes for ensuring full compliance in an effective and efficient manner. As Life Sciences companies create and refine their systems for GDPR compliance, it is helpful to have a pragmatic framework to develop processes and improvements. The questions below serve as a useful roadmap on the journey toward full compliance.

Have you successfully identified all sensitive data? Data is usually scattered among many systems, IT applications and sources across an enterprise. This is especially true for larger companies, and those that have grown by acquisition. Due to the number of different roles EU citizens could play in an organization (clinical trials participant, healthcare professional, partner, employee, supplier, etc.), it is unlikely that personal data will be restricted to one department or system. Organizations with more diverse IT systems should not only consider data in networked applications but also offline sources such as spreadsheets.

Are you confident that consent was rigorously and properly obtained? After determining what data is in your possession that falls within the scope of GDPR, you must assess the basis for processing each category of information. If you are relying on consent as the legal basis, you should determine if that consent meets all requirements set forward by GDPR.

Do the data subjects know you are storing their data? When personal data is collected from the individual a company must provide privacy information at the time the data is obtained. This mandate, often called the right to be informed, covers a key transparency requirement of GDPR. Many organizations have sent privacy policy updates; however, companies must also define triggers and processes for any new contacts with whom the organization has recently engaged.

Do you have documented proof of consent? When consent is the legal basis for data processing, the onus is on the company to demonstrate that the data subject has given consent. Guidelines emphasize that consent should be obtained through electronic methods such as emails or electronic signatures that provide a clear, demonstrable trail. This is of course not the case with oral agreements or consent given by manually signing a paper document, unless they can be electronically ´loaded´ into a platform so they are accessible and modifiable in the future.

Can you easily maintain compliance across your operational ecosystem? Once you’ve uncovered your sensitive data, and obtained and documented consent where necessary, the work has just begun. Personal information for EU citizens is likely flowing into your IT infrastructure daily. To eliminate duplicative efforts and ensure compliance, an interface linking these systems for streamlined compliance is advisable.

In addition to GDPR, companies should monitor data and e- privacy regulations around the globe. In Asia-Pacific, some countries have specific consolidated laws to address data privacy regulations. Examples include the Act on Protection of Personal Information (APPI) in Japan, the Personal Information Protection Act (“PIPA”) in South Korea, as well as the “EIT Law” in Indonesia. Furthermore, the recent passage of the California Consumer Privacy Act highlights the growing global trend towards data privacy protection.

IQVIA’s experts can identify areas of your business that will be impacted by new data privacy requirements and obligations. Through a customized end-to-end risk assessment, our consultants can evaluate your organization’s current practices against GDPR and other requirements with a focus on process development, best practices and organizational need. We can then provide a roadmap for success that shows you how to efficiently implement and manage the ongoing process.

To further your successful journey toward full GDPR compliance, our managed services team can take ownership and accountability for your consent collection through multi-channel campaigns, including e-mail, call centers, and print mailing initiatives. Finally, we provide IQVIA Consent, an innovative software solution, designed to operationalize compliance with global data privacy laws. Using a single online platform, internal and external users can give, modify, revoke, or store various consent types, including consent for disclosure and e-mail use.

To learn more about IQVIA’s solutions, click here

Related solutions

Contact Us