Scientist.com implementing process to address global requirements ahead of GDPR
The business to business marketplace for research products and services, partners with large and small pharmaceutical and biotechnology companies and contract research organizations (CROs).
To help both pharma and suppliers ensure compliance, the company is implementing a process to address the General Data Protection Regulation (GDPR). The new set of laws, which go into effect May 25, 2018, is intended to address personal data transfer from the EU to anywhere in the world.
“The steps to become globally compliant depend on the individual business, the jurisdictions they are operating in and the source of the personal information shared,” said Matt McLoughlin, senior director of compliance at Scientist.com.
“As there is no single global regulation regarding privacy,” McLoughlin told us the company is working with a legal firm to implement an improved, compliant contractual landscape to ensure that the data transfers through its marketplace are protected following GDPR implementation.
Preparing for GDPR implementation
There are various tasks companies should undertake to ensure they align with the new requirements, McLoughlin explained.
Some of these include conducting a contract landscape review to ensure appropriate obligations are in place, updating policies (especially the privacy and cookie policies), and reviewing marketing processes and procedures, such as collection of consents, McLoughlin explained.
“The main challenge faced by organizations is the complexity of the evolving requirements and the various interpretations,” he added.
Privacy Shield: Room for improvement
The EU-US and Swiss-US Privacy Shield Frameworks were designed to provide companies with a mechanism to comply with data protection requirements when transferring personal data from the European Union (EU) and Switzerland to the US.
However, the frameworks – which are a part of the much larger GDPR requirements – do not protect the transfer of personal information between other jurisdictions, explained McLoughlin.
The European Commission recently wrote in a press release: "Privacy Shield works well, but there is some room for improving its implementation. The Privacy Shield is not a document lying in a drawer. It's a living arrangement that both the EU and U.S. must actively monitor to ensure we keep guard over our high data protection standards."
McLoughlin said, “This active monitoring is vital to ensure the certification is not diminished in the eyes of the individuals it is designed to protect.”
To improve the framework, Scientist.com suggests that US authorities provide the Department of Commerce more resources, such as personnel to retroactively monitor Privacy Shield certified companies to ensure compliance – “so that only companies who are truly Privacy Shield compliant receive the certification,” added McLoughlin.