How Veeva Systems prepared for the new EU data protection regulation, reports Ashley Slavik, Data Protection Officer and Lead Data Counsel
As one of the most groundbreaking pieces of European Union (EU) legislation in the digital era, the General Data Protection Regulation (GDPR) represents the biggest shake-up of data protection laws in more than two decades.
With the enforcement deadline of 25 May now upon us, many life sciences companies will have already come to realise that GDPR compliance is not simply a legal problem or an IT project, but an enterprise-wide issue requiring a robust and comprehensive approach.
Here, I explain some of the steps we took towards GDPR readiness and why we consider the new regulation to be a positive catalyst for change.
Intended to harmonise national data protection laws across the EU and give greater protection and rights to individuals, the GDPR is designed to make companies more accountable for how they process personal data.
It expands the territorial scope of EU data protection regulation to companies processing personal data of EU residents, regardless of the company’s location.
The GDPR introduces important new requirements about valid consent, in addition to giving individuals in the EU greater control over how their data is being used through stronger and more specific rights. And it introduces stringent penalties for non-compliance, with fines of up to €20 million or 4% of turnover (whichever is greater) for violations.
As a provider of multitenant cloud solutions, the importance of privacy and security is part of Veeva’s DNA, and it is something we regularly discuss with our customers.
The overarching principles of the GDPR, therefore, are an extension of something already familiar to us – but we knew we needed to adapt to the key principle of accountability. This meant putting the necessary documents together to enable us to be more transparent about our data processing activities and even more rigorous in our risk assessments. And so, our path to GDPR compliance began.
Clearly understanding your company’s role as a data controller or a data processor – both key terms in the GDPR text — is critical to determining the extent to which you are subject to obligations.
With the previous EU Data Protection Directive of 1995, legal responsibility rested primarily on the data controller, but the GDPR stipulates shared responsibility between the controller and the processor. Under the GDPR, the controller determines the purpose and means of processing personal data, while the processor is responsible for processing personal data on behalf of the controller in accordance with its instructions.
Processors now must maintain records of personal data and processing activity, and they have liability for data breaches. Controllers must ensure their contracts with processors include all of the cooperation obligations.
Like many companies, Veeva acts as both a data controller and a data processor. For some of our solutions, we are a data processor because we provide our customers with solutions to manage their customer data. For others, we are the data controller because we make decisions on which data is collected, how long it is stored, and to whom it will be transferred. Furthermore, we are a data controller for all of our European employees, customers and partners.
As a cloud provider, Veeva ensures the same privacy and security controls for all customers. Veeva protects customer data with world-class physical, network, application, and data-level security; we have been certified under the EU-US and Swiss-US Privacy Shields since their inception; and we execute EU standard contractual clauses if requested to facilitate data transfer to the United States.
Historically, privacy fell under the umbrella of our Global Information Security Officer, David Tsao, based at our California headquarters. However, a fundamental turning point in our GDPR journey was appointing a dedicated data protection officer (DPO).
Under the GDPR, a DPO is mandatory for any entity involved in processing data on a large scale. Not to mention, it is a business imperative and common sense to have a single point of contact to oversee privacy.
I joined Veeva in 2015 as lead data counsel and quickly gained certification as an EU data protection officer, becoming one of the first within our industry to hold the title. Based in our Paris office, I began to set out a roadmap to leverage our existing privacy and security controls.
To bring privacy to the next level, we realised that we needed a critical mass of dedication to the GDPR. We decided to create a network of privacy champions made up of individuals in leadership roles whose jobs demanded deeper understanding and knowledge of data protection, or who demonstrated strong understanding of the regulations.
These people would become the points of contact for their teams – and integral to turning GDPR compliance from a potential add-on to an employee’s day job to something second-nature for every individual across the organisation.
The true measure of GDPR compliance is whether it permeates the culture at every level, not only from a top-down mandate of the DPO or the legal team.
Once individuals think about how they use personal data – and, indeed, how their own data is used – a shift towards individual responsibility and accountability emerges. With our Veeva privacy champions group and a "train the trainer" approach, we are already seeing this cultural shift.
As a company, we are working hard to communicate both the intricacies and the impact of the GDPR to employees and, in turn, our customers, in a way that makes sense to them. Training plays a big part in this – considering the GDPR is such a wide, far-reaching topic, tailoring the right information to the right audience is essential.
As DPO, one of my jobs is to help design interactive, online, role-based training that will resonate with each individual in terms of their day-to-day work. Every team is given a slightly different training programme, depending on how the GDPR impacts its area of business. We also provide ad hoc, face-to-face training around particular issues, plus events and webinars focused on our GDPR approach.
The GDPR stipulates that there must be a contract in writing between the controller and processor that clearly sets out the subject matter of the processing and its duration, as well as the nature and purposes of processing, the types of personal data, any particularly special categories of data, and the obligations and rights of both parties.
Failure to have a suitable data processing agreement (DPA) in place is a breach of the law under the GDPR.
Contracts, therefore, needed to be revised according to those requirements. The fact that controllers must be very precise with their processors regarding co-operation on a variety of different aspects impacts not only our customers, but also our partners and vendors. So, we have spent a lot of time working closely with these stakeholders to make sure we are aligned, with the required documentation in place.
Throughout the prolonged effort, we have sought to focus on the positive aspects of preparing for the GDPR. This mindset gave us a chance to step back and look at what we achieved and put our mission into perspective: building the industry cloud for life sciences is bound by a data-centric approach.
We can now see a much deeper level of transparency with our customers and those whom they ultimately serve – patients who need life-saving and life-prolonging medicines.
Transparency promotes trust – and creating trust is valuable on so many levels across the data lifecycle. To benefit from optimal care, patients need to trust that their healthcare professionals have the most accurate and up-to-date details about treatments they receive.
Healthcare professionals need to feel confident that life sciences companies will treat their information in a fair and responsible way.
Life sciences companies rely on Veeva to deliver innovative technology that enables them to manage value- and compliance-driven data more efficiently. If a new culture of trust is what that GDPR can bring, that can only be positive.