Five reasons why pharmaceutical companies need a DPO in 2024

A data protection officer (DPO) is a specialist who helps companies ensure compliance with international data protection laws. Such a specialist can be a member of the team or an external DPO and perform tasks based on a service contract.

A DPO can assist companies with setting up all processes related to personal data, drafting and auditing relevant documentation, with data subjects’ requests, data breaches, and conducting training for employees. In a nutshell, the DPO is a key person who helps the company in all business processes to ensure compliance with the data protection law. 

The European General Data Protection Regulation (GDPR) defines certain cases where the appointment of a DPO is mandatory:

• the processing is carried out by a public authority;
• regular and systematic monitoring of data subjects on a large scale; 
• processing on a large scale of special categories of data.

Various aspects must be considered to determine whether a company falls under any of these criteria, but it is also possible to appoint a DPO voluntarily.

However, it is essential to note that, as stated in the WP29 Guideline, a DPO is not personally responsible for non-compliance with the GDPR and must independently perform the tasks, avoiding conflicts of interest.

In this article, we will demonstrate five reasons why pharmaceutical companies should consider appointing a DPO.

#1. Help with GDPR compliance when entering new markets 

If your company plans to expand its activities to other countries, in particular the member states of the European Union, then the DPO will be your indispensable assistant in ensuring compliance with data protection law.

The main act in the EU in this field is the General Data Protection Regulation (GDPR). However, in addition to the GDPR, it is often necessary to consider the national legislation of the member states in this area.

Maybe your company already falls under the scope of GDPR, and you don’t even know it 🙂

The fact is that the GDPR also applies to companies that are registered outside the EU but offer goods or services to data subjects in the EU.

It is worth noting that usually, in addition to the EU, DPOs are also familiar with the laws of other regions – the US, Brazil, Great Britain, and other countries.

So, the fear of GDPR and other acts is not a reason to stop business development if you have a professional to help you ensure compliance.

#2. Additional requirements for customer data protection

Pharmaceutical companies process their customers’ personal data, including special categories (or sensitive) data. According to the GDPR, such data includes, in particular, genetic data, biometric data, and health data.

We may refer to health data as any data relating to an individual’s past, present, or future physical or mental health (including the provision of medical care) that discloses information about that individual’s health.

It can be any information about the client’s illness, disability, allergic reaction to the medicine, the fact of the client’s treatment for a certain disease, or prescribed medications and their dosage. It includes information received from a doctor, a medical device, or from the client himself.

Clinical trials of medicines or medical devices and ensuring compliance with patients’ rights to personal data protection in this process are also high-risk activities and require the attention of privacy specialists. At most, the EU has an additional regulation of personal data protection in this area — The Clinical Trials Regulation.

Since the improper processing of such data or its disclosure to third parties poses high risks to data subjects, their rights, and various aspects of life, the GDPR establishes special requirements for the protection of such information. Such processing is allowed only in certain cases and in the presence of specified bases. At the same time, Member States may have certain detailed requirements, including restrictions, concerning the processing of genetic data, biometric data, or health data. 

A DPO is a professional who monitors legal requirements for personal data protection in various areas and knows how to apply them correctly in practice.

#3. The complexity of compliance due to the specifics of the field 

GDPR compliance is a complex process, particularly due to the need to draft various documentation and its constant updating. It is not only about Privacy and Cookies Policies but also about Data Retention Policy, Records of processing activities, Supplier/contractor register, Information Security Policy, conducting assessments of legitimate interests, assessments of the impact on the protection of personal data, and ensuring the legal transfer of personal data to other countries. Proper management of subject requests and response to data breaches is also important. At the same time, monitoring of changes in various industries, new regulatory opinions, and fines plays a significant role.

However, due to the specifics of the field, compliance with GDPR requirements by pharma companies becomes more difficult. In addition to the processing of special categories of personal data, pharmacology also has a number of specifics that need to be taken into account.

Importantly, the GDPR applies not only to data stored electronically but also to paper-based storage as long as the data is properly structured. That is why GDPR requirements can apply, for example, to paper copies of drug prescriptions, agreements, or medical reports.

One more important aspect is the personal data retention. In the field of pharmacology, it is also necessary to consider the requirements of national law on the storage of health data.

It is also worth noting that the GDPR will apply to the pharma company’s website or app, to its marketing activities, and to the processing of employee data.

Therefore, GDPR – compliance is a comprehensive process that covers all the company’s activities, and a DPO is a specialist who will help create a personal data flow map and properly adjust the processing activities.

#4. Impact of GDPR compliance on company reputation

Ensuring and maintaining GDPR compliance can be considered an investment in the positive reputation of the company and an additional aspect for attracting customers.

Given the presence of competition in the market and the involvement of the processing of sensitive personal data, customers will pay special attention to this and prefer the services where their data will be properly protected. In addition, partnerships with European companies may also require confirmation of proper handling of personal data.

The appointment of a DPO indicates building a culture of privacy in the company and is an additional competitive advantage for the business.

#5. Fines for GDPR infringements 

Depending on the type of infringement, the fine can be up to 10-20 million € or 2-4% of the company’s turnover for the relevant year.

There are examples of cases when fines were imposed on pharma companies for various types of infringements:

• In 2020, the Estonian Supervisory Authority imposed fines of €100,000 on three pharmacies because third parties could access other people’s prescriptions on the websites without their consent.
• In 2022, the German supervisory authority fined a pharmacy €6,500 because paper copies of prescriptions and documents with patients’ diagnoses were thrown into waste containers and could be accessible to other people.
• The British ICO in 2019 (when the UK was still part of the EU) imposed a fine of £275,000 (which was later reduced to £92,000) for a pharmaceutical company leaving documents containing prescriptions and customer personal data in unlocked containers at the back of their premises.
• In 2021, SC Nobiotic Pharma SRL was fined €2,000 by the Romanian Supervisory Authority for failing to provide relevant information at the request of the Supervisory Authority.

Also, there is an interesting report from Usercentrics, which scanned the 150 most popular pharma websites in the EU and found that almost 89% of them are in breach of the GDPR by processing customer health data (regarding purchases of medicines and pharmaceutical products) without their explicit consent.

In conclusion, a DPO is a personal data protection specialist who helps companies comply with international laws in this area. Given that pharmacology is directly related to health data and has certain specifics, the appointment of a DPO provides a professional approach to protecting customers’ personal data.

Read more about our special service — DPO as a service.