The passing of the DPDP Act, 2023, brings an opportunity for pharmaceutical companies and contract research organisations (CROs) operating out of India to re-look at how they manage personally identifiable information (PII). The Act regulates the processing of digital personal data and respects individuals' right to protect their data while recognising the necessity of processing and using such data for lawful purposes. The Act does not override the existing sectoral regulations but supplements them.
The pharmaceutical sector is one of the most data-intensive and data-driven sectors in the world. Real-world data, which is extensively being used in this sector, is the data relating to patient health status and/or the delivery of healthcare regularly collected from a variety of sources including electronic health records (EHRs), patient-reported outcomes (PROs), patient-generated health data – data generated from various devices (including mobile devices), medical claims and billing data, product and disease registries, observational studies – and patient-powered data (social media, patient advocacy groups/patient communities, patient-powered research networks, etc.). The sector, therefore, generates and processes huge amounts of personal health, clinical trial, research, and other sensitive data.
The sector faces various challenges and risks related to data privacy and data protection such as data breaches, cyberattacks, regulatory compliance, ethical issues, and consumer trust. The Act gives data principals the right to correction and erasure which in turn requires this sector to look for consent management data processors and technologies to support the rights of the data principal.1
Global pharma companies operating in India and headquartered in the US or the European Union (EU) might need minor modifications in their existing data privacy programmes. For Indian multinational pharmaceutical companies which are operating in the US and the EU, a review of their current data privacy and data protection programmes with an India-centred lens is the need of the hour. The additional requirements related to the Health Insurance Portability and Accountability Act (HIPAA), the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) need to be examined and investments need to be made to ensure compliance. For pharma companies headquartered in India and serving markets other than the US and the EU, a thorough review of the existing policies and establishment of a comprehensive data privacy and data protection programme would be needed.
Here are the top five steps for pharmaceutical companies to consider while looking to become DPDP Act compliant:
- Company boards and leadership would be required to:
- onboard specialists to strategize, drive and manage data privacy and data protection programmes for the company,
- identify the challenges and gaps in compliance to the DPDP Act, and
- approve investments in technology, controls and personnel over the next 10–12 months.
- An empowered cross-functional team, comprising members from the legal, information technology (IT), digital transformation, IT security, human resources (HR), research and development (R&D) and sales departments, would need to collaborate to classify, tag and secure data.
- Identification and codification of the roles and responsibilities of third parties with regard to data-sharing is imperative to avoid non-compliance. Contract agreements and non-disclosure agreements may need to be revisited and amended.
- Implementation of consent management systems and their technical as well as functional administration would be needed for compliance.
- Appointment of full-time consent managers and data protection officers.
In conclusion, boards and senior leadership of pharmaceutical companies and CROs involved in drug discovery and carrying out clinical trials must review their current practices, obtain explicit consent from individuals for the collection and processing of their personal data, implement appropriate security measures, appoint a Data Protection Officer, and establish a mechanism for individuals to exercise their rights under the Act. By taking these steps, pharmaceutical companies can ensure that they are compliant with the DPDP Act, 2023 and protect the personal data of individuals.
Sources
- Section 12 (1), Digital Personal Data Protection Act, 2023, Ministry of Electronics and Information Technology
