Pharmaceuticals and biotech companies entrust a myriad of third parties with the processing of personal information in support of their businesses. Contract research organizations (CROs) are perhaps the most obvious example – third parties that process highly sensitive personal information to enable the proper execution of clinical research – but they are one of many data processors on which pharma and biotech companies rely. It’s clear that safeguarding personal information across a pharma
and throughout its ecosystem of third party service providers is a modern-day business imperative. The simple fact is that vulnerabilities often exist with third party service providers, and these must be identified and managed prior to sharing personal information in order to avoid breaches, regulatory violations and damage to the trust and reputation of patients, healthcare professionals (HCPs) and other business-critical stakeholders.
In this environment, legislators continue to attempt to mandate proper data protection through numerous regulations around the world. Perhaps the most important regulation on the horizon in this respect is the European Union’s General Data Protection Regulation (GDPR), which will come into effect in May of 2018. Not only does the GDPR contain strict breach notification rules, it also requires that where processing of personal information is to be carried out by a third party “processor”, such processors must implement appropriate technical and organizational measures to meet the requirements of the regulation.
It’s important to remember that the GDPR will apply not only to EU-based entities. Pharmaceuticals and other supporting businesses in the US and around the world that process personal information about EU residents will fall within the long arm of its jurisdictional scope.
While the GDPR does not come into effect until mid-2018, similar provisions are already applicable to entities that have certified – or are considering certification – to the EU-US Privacy Shield. Under Privacy Shield, a certified organization in the US making an onward transfer of personal information of EU residents, must ascertain that the third party recipient provides at least the same level of privacy protection required by Privacy Shield Principles and take reasonable and appropriate steps to ensure that the third party processes the personal information in a manner consistent with the Principles.
Know Where Your Data Flows
Managing risks associated with patient, HCP, employee and other personal information begins with gaining a clear understanding of precisely what data is shared and with which third parties. Obtaining a reasonably accurate inventory of personal information and understanding where that data is flowing outside of your organization is accomplished through interviews of process and system owners along with detailed review of process documentation. While this effort can be significant, it pays off with an improved organizational view of data flows and increased ability to make informed determinations about what data is essential to processes supported by third parties.
An often overlooked component of successful third party data risk management is simply limiting the data being shared to the minimum necessary to reach your business objectives. Achieving this requires up front effort, as it is necessary to change the behavior of employees who may find it easier to share entire databases or large data files with third parties rather than taking the time and effort to identify and transfer only the data that is truly necessary to achieve the desired purpose.
Pre-Contract Diligence: Flexible and Risk Based
Recent regulatory requirements and common sense mandate that contractual provisions are essential to mitigating risk associated with third-party data processing of personal information. However, in and of themselves, such provisions are insufficient. Due diligence prior to the sharing of personal information should be conducted to provide the requisite level of assurance that the third party has systems, processes and physical facilities capable of providing the appropriate level of protection.
A preliminary risk assessment has become a nearly standard prerequisite to contracting. Many data controllers use a single, templatized process for assessment of all third party processors regardless of considerations that likely have direct impact on data risk. But in order to implement a truly effective third party data management program, the risk associated with the data must be understood. These data risk considerations include:
the type of personal information being shared
the volume of personal information being shared
the geographic location of the vendor
the type of processing activities to be performed
the nature of processes or technologies for processing, retention or disposal of the data, and
whether the third party uses further outsourced providers to process the personal information
For lower-risk data sets and third parties, a self-assessment might suffice. But while third party self-assessments can be useful and effective tools when properly executed, they can carry significant challenges – not least of which is getting the third party to complete the assessment at all. In many instances, self-assessments are presented in a manner that the recipient has neither the organizational nor technical know-how to complete the exercise.
For data sets with somewhat higher risk, an acknowledged and generally accepted report such as a SOC 2 (which reports service organization controls for security, availability, processing integrity, confidentiality and/or privacy of data) or an ISO 27001 certification may provide the requisite level of confidence.
For large data sets that contain highly sensitive personal information, serious consideration should be given to having the pharma company’s audit function or a professional services firm conduct an onsite assessment. Personnel conducting these risk assessments must be up to date on both regulatory requirements as well as evolving security and privacy risks. And of course, it is essential that they have the requisite experience conducting such assessments to reach meaningful conclusions and recommend pragmatic approaches to managing the risks.
Upon concluding that a given third party has sufficient data security and privacy controls in place to green-light the sharing of personal information, contractual provisions must be drafted that place affirmative data use, security, breach reporting and right-to-audit obligations on the third party. Provisions should be drafted based on applicable requirements in combination with risk factors such as the characteristics of the data being shared and the processing to take place. While standardized provisions may suffice in some instance, the specific context and risk factors should be considered prior to finalizing a contract, in order to be certain that the terms fit the specific scenario.
Of course, while contractual provisions are essential to mitigating risk associated with third-party processing of personal information, they are never sufficient without processes to ensure that the third party is, in fact, doing what is contractually required.
Post-Contract: Agility in Execution
Pre-sharing verification of the adequacy of a third party’s data security and privacy controls is critical, but it’s really only half of the story. In order to mitigate risk on an ongoing basis, controls should be established to provide assurance that once personal information is shared, the third party will continue to safeguard it as required by contract. To gain that assurance, post-contract/post-sharing assessments should be conducted of your third party processors. Practically, only a limited number of assessments can be conducted each year. One solution to prioritizing and identifying third parties appropriate for assessment is to conduct an annual risk-ranking of third parties (and the personal information with which they are entrusted). This internal process provides an opportunity to view third party processors together and evaluate the relative risks associated with each, in order to identify those that will be subject to an assessment.
Regardless of how varied the requirements mandated and included in the contract are, it is important that you take an agile approach to risk management. In practice, this means that the execution of third party risk management activities will consume the minimum time and resources necessary for the controller and third parties, without compromising the overall effectiveness of the program. This requires that the controllers maintain an up-to-date understanding of the third parties’ data processing environments and strive to make only risk-pertinent inquiries relevant to changes or other red-flag issues that arise in a vendor’s environment. Appropriate tools should be developed and implemented to make it easy and efficient for third parties to report such changes, either periodically (e.g., once a quarter) or as they occur. This also carries the benefit of enabling third parties to structure and standardize such reporting in order to avoid redundancies in reporting to multiple controllers.
Risks associated with the sharing of digital personal information are a modern-day fact of business life. Such risks are amplified in the pharma and biotech industries, given the sensitivity and volume of personal information being processed and shared. But those risks can be effectively managed and reduced by taking the proper steps before sharing the data. While sharing personal information with third parties requires a degree of trust, verification of controls adequate to safeguard that data is essential. Mature and highly effective third party risk management programs will focus on the commitment of the business to safeguard data and in meeting individuals’ expectations of privacy, rather than treating the program strictly as a matter of compliance.