GDPR One-Year Mark: Lessons Learned

welocalize May 20, 2019

The European Union’s General Data Protection Regulation (GDPR) continues to challenge life sciences companies of all sizes worldwide, creating new concerns and responsibilities for the security and legal teams charged with ensuring data privacy compliance. Welocalize Life Sciences, a Welocalize company, looks at GDPR one year in and shares lessons learned and what lies ahead.


Transparency Promotes Trust

In an article for Pharma Exec, Ashley Slavik, Data Protection Officer & Lead Data Counsel at Veeva Systems, conveyed that creating trust is valuable on so many levels across the data lifecycle. “To benefit from optimal care, patients need to trust that their healthcare professionals have the most accurate and up-to-date details about treatments they receive. Healthcare professionals need to feel confident that life sciences companies will treat their information in a fair and responsible way,”

It’s A Journey, Not A Destination

Despite the concentration of activity leading up to 25 May 2018, many emphasize GDPR is a long-term, ongoing commitment to compliance.

“The 25th [of May] became a singular point in time, but it’s a milestone, not the end,” said Chris Swarbrick, Head of Technology at Omnicom Media Group Programmatic UK, in an interview with CMO. “It’s an evolution, as people continue to learn and understand what the relationships will look like. There are multiple nuances, and it’s going to take a while to learn all of them.”

Slavik also reinforced this in her Pharma Exec article: “With each new regulation, we seek to focus on the positive aspects of what compliance could bring. This mindset gave us a chance to step back and look at what we achieved and put our mission into perspective – building the industry cloud for life sciences is bound by a data-centric approach.” 

GDPR Enforcement Varies by Country

At this year’s RSA Conference, security expert Ariel Silverstone reported that, as of the end of January 2019, there were 41,000 breaches reported under GDPR that fell within the 72-hour notification window. Additionally, Silverstone noted that while GDPR involves all 28 countries of the EU, variations in how each country is implementing the law mean companies could face different penalties. For instance, he described that Germany’s interpretation of the law makes a violation nearly a criminal case, while other nations have been reducing fines.

Looking Ahead

GDPR is only one compliance policy. Experts point out that GDPR will help global organizations be better prepared for other forthcoming compliance regulations, including the California Consumer Privacy Act, which adheres to some of the same principals as GDPR and comes into effect 1 January 2020.

ICYMI: Read our original post on GDPR compliance.