Fabien Roy, Counsel of Hogan Lovells International LPP, regular speaker at Pharmapack
"The introduction of the new European Union General Data Protection Regulation 2016/679/EU (GDPR) presents a big challenge for life science companies, packaging developers and connected device developers. Below we outline several practical steps that these companies and developers can take in order to ensure they are GDPR compliant.
- Implement privacy by design and privacy by default principles each time they intend to launch new projects involving the processing of personal data. These principles intend to ensure that the data controller has considered and integrated data protection into its processing activities at the stage of the conception of a new service/product, such as a connected medical device.
- Put in to place data breach procedures.
- Implement procedures to manage and answer request to access, rectify or delete personal data received from data subjects.
- Conclude data transfer agreements to govern transfers of personal data.
- Adopt data retention policy to determine the retention period of each category of personal data.
- If appropriate, conduct a privacy impact assessment (PIA) to check if their processing operations are likely to result in a high risk to the rights and freedoms of data subjects.
- Maintain the relevant documentation and records of all procedures and measures adopted to comply with the GDPR according to the accountability principle.
- Adapt informed consent forms in order to comply with the specific features of consent under the GDPR. This includes the review of both the structure of the informed consent and the detailed information provided to the patients.
- Conclude detailed agreements with the processors of personal data."