How GDPR Affects HealthTech Companies

Darshan: Today's talk is going to be about GDPR and how that applies to pharma companies, to health tech companies. If you are a owner of a pharma company, how does it apply to you? If you are a general counsel for a pharma company, how does it apply to you? Narrator: This is the DarshanTalks Podcast, regulatory guy, irregular podcast with host Darshan Kulkarni. You can find the show on Twitter @darshantalks or the show's website at darshantalks.com. Darshan: So, GDPR, it's sort of, you've probably heard about it because we all got a bunch of different emails from Google and from Yahoo and from whatever else you use because a lot of those companies make their money by keeping information. GDPR is the mutually agreed General Data Protection Regulation. Came into effect on May 25th, 2018, and the idea was they would modernize laws that protect personal information of individuals. The goal was to harmonize data protection laws across Europe and give greater protection and rights to individuals. Darshan: That's all well and good, and that's great. Actually, I'm a huge advocate of privacy, but there are problems. The problem is that they haven't clarified what this means, or the penalties have started coming in. If the penalties are already coming in and you don't know what it means, that seems unfair. Let's talk a little bit more about what GDPR is and how that applies to you. Darshan: So, the goal of GDPR again was to protect consumer data and how it actually impacts businesses. The question is, are U.S. companies exempt from GDPR because of what's called the Data Shield or not necessarily because there are some rights around transferability of information? The consumer does also get the right to transfer personal data from one company to the other. So, that becomes a new right under GDPR. The consumer also gets the right to access their information so that they know what you know, and you have a certain amount of time as a business to produce that information. Darshan: If you are a consumer, you get the right to correct the information that the company has. So, you can just, as a company, be like, "I'm going to ignore you." One of the most famous things that came out of GDPR was the "right to be forgotten." The right to be forgotten was the idea that at a certain amount of time, it goes from becoming information about me, which would be in the cloud, is detrimental to me, and I have the right to be forgotten by these systems. Darshan: Then, there's the right to consent. Essentially, you, as a company, need to get my consent to be able to obtain, process my information. Part of it may all ... This is a huge undertaking, and you may need a data privacy officer to make all of this happen. So, one of the big overarching questions is, do patients own their own data under GDPR? No. The question is actually sidestepped. Patients may be able to control their data. There's no answer about whether they own their data, but meaningfully, what do you get different? The answer might be you might be able to get paid in exchange for that type of control. We aren't there yet, but CCPA is making some steps in that direction. Darshan: So, why should I care? Does GDPR matter as a pharma company CEO? The final framework suggest that penalties could be up to $20 million, up to 4% of the total global turnover of the preceding year, whichever one is higher. So, if you are a large company, those penalties could be hugely problematic. So, yes, you should probably care about GDPR. Darshan: So, the next question is, "Well, I'm a U.S. company. How is this that different from HIPAA?" First of all, wrong country. GDPR primarily applies to Europe. Number two, GDPR does this whole controller versus processor thing. In clinical trials,