The General Data Privacy Regulation (GDPR) took effect May 25.2018 and its primary intent is to deliver greater data privacy protection to EU citizens, including protection for health-related data. To ensure that medical information professionals could assess their understanding of and level of compliance with this recently enacted regulation, ArisGlobal held a July 18th webcast, “Practical Implementation of GDPR within Medical Information.”
Since GDPR was first announced several years ago, ArisGlobal has been busy working with our user base, consultants, and internal and external auditors. We took their insight to arrive at our own interpretation of GDPR and then began working on how we could ensure that data privacy and data protection is by design, and what specifically our medical information management system, LifeSphere® MI, can do to support GDPR from the outset.
Support for GDPR involves having a combination of tools, technologies and processes in place. Gauging from the very strong interest, attendance, and questions asked by our webinar attendees, there is clearly still a level of concern and uncertainty from the medical affairs community as to their respective company’s level of understanding and compliance of this complex guideline.
Our hour-long webcast did not offer legal advice on the interpretation of GDPR, but rather focused on the practical implementation of GDPR within a medical information system, and specifically covered seven key areas:
- Data Encryption (encryption of data at rest
- Viewing/Accessing Private Data from Different Countries
- Data Redaction
- Inquiry Fulfillment
Our webinar presenter, Simon Sparkes, ArisGlobal Executive Vice President of Medical Affairs, kicked things off by posing the first polling question, “Have you assessed your medical information system for compliance with GDPR regulation?” so as to assess the audience’s current state of GDPR compliance readiness. Results indicated:
This took us somewhat by surprise as most of the companies ArisGlobal staff are in discussions with still largely fall either in the “no” (i.e., not yet started) or “in progress” stage.
Responses to our second polling question, “Have you accommodated GDPR in your current MI solution?” more closely aligned to our understanding of where things stand for most companies:
Based on all the topics covered, responses to the final polling question “Are you GDPR ready?” seemed in conflict to some extent with the responses to the second poll results:
Over two-thirds of the responding audience believe their company is “GDPR ready.” That is great news, but we can only surmise that if 57% haven’t assessed their MI solution for GDPR readiness, as shown in the responses to the first poll question, then the majority who are “GDPR ready” did not leverage their MI solution to assist in the effort. If that assumption is correct, that is unfortunate since an MI solution like LifeSphere MI, by its design, can provides the tools, technology and process in place to help ensure the ongoing proper consent to collect and share patient data, handle data retention, redaction and possible GDPR exclusions.
Lots of attendee questions pertaining to retention periods, pseudonymization, medical inquiries with associate adverse events, and more were answered before the webinar concluded. You can learn more by viewing the on-demand webcast at your convenience.