Data privacy and data protection are topics that come up often in pharmacovigilance audits, inspections and due diligence questionnaires. Depending on the structure of your quality management system, data privacy and data protection can be considered to be one and the same thing. We could also refer to it as “medical privacy” in this context. 

In a way, data protection has always been one the main requirements of drug safety because the adverse event tracking starts during clinical trials but also due to the core idea of pharmacovigilance: collecting, reviewing and reporting of adverse event reports coming from individuals and containing personal information about patients. The adverse event reports are from patients or healthcare professionals and the content of the report is about the patients’ health and other personal information. 

Because of the inherent role of data privacy in drug safety, Tepsivo has had in place related policies, SOPs and forms since the early days of our quality management system because it would be impossible to operate in drug safety without taking this topic into consideration.

Data protection at Tepsivo

Recently there was an update to Tepsivo’s GDPR SOP because an auditor had had questions about the SOP in an audit and they had marked a finding in the final audit report related to the wording. Our corrective action for the finding was to clarify the wording related to data protection officer (DPO) in our organization highlighting that we do not need to have a DPO and that we do not have a DPO. Tepsivo has a person responsible for data protection. 

I agree that the wording in the SOP was confusing before and did not fully reflect the reality. Now the SOP describes our compliant process, but I am personally not satisfied with updated wording, as it also contains a new non-procedural statement (for not having a DPO). Hopefully the clarification will save us a some time during future audits and inspections.

While updating the GDPR SOP, also the data protection and privacy policies were updated and the data protection related activities that had been done according to our procedures were reviewed. As usual when performing gap analysis in PV system, there were some gaps. 

To be exact, I, as the person responsible for the data protection process, had not fully followed the procedure I had myself written. But what also stood out in the gap analysis, was that no auditor, inspector, quality assurance person or data subject had enquired in more detail about the personal data that we had collected, or about how and why we collect the data. We had just received questions about the processes and where the data is stored, but we hadn’t had the need to go deeper into the topic.

As we go through now 1-2 audits per month, we get asked about data protection quite often, and for a good reason. Audits being audits, this is typically around the procedural documentation.

This got me thinking about the relevancy of some aspects of our data protection processes and other data protection activities in pharmacovigilance. In order to perform drug safety monitoring, data collection and processing are mandated by the legislation. The collected data can potentially be highly sensitive with full medical records of individuals, but the collected data ends up being partially public once the safety data is reported to the authorities.

Is the attention to data privacy on the right level when it comes to current pharmacovigilance best practices?

Landscape of Data Protection and Pharmacovigilance

Pharmaceutical companies have ongoing privacy considerations related to product safety monitoring. These considerations are tied to continuous obligations to comply with relevant regulations and best practices, that include data privacy processes.

In the European Union, GDPR applies to pharmaceutical and medical device companies processing personal data of individuals within the EU, regardless of the company’s location. In the United States, HIPAA applies to covered entities in the US that transmit, maintain, or use protected health information (PHI).

Many of the pharmaceutical companies operate globally, and data privacy requirements vary by jurisdiction and may include national or regional privacy laws, industry-specific guidance, and ethical guidelines, so GDPR and HIPAA are not the only legal requirements that need to be taken into consideration. According to the UN data, about 71% of countries have data protection and privacy laws in place.

In general, there are data privacy principles that need to be followed no matter what the country or region is. These should be taken into consideration when setting up a new study where patients’ personal information is collected or analyzed, or when study data is transferred from one party to another, when deciding what software to use for study or product data management, what safety database to use, how to automate case intake etc.

Concepts of Data Privacy

I am not a legal expert, nor do I consider myself a data privacy expert, but I like to think that nowadays the basic concepts of data privacy are quite well understood by most people, especially people who operate in an industry that is based on data collection and data processing such as pharmacovigilance.

Below are some of these basic concepts that I found useful when thinking about data privacy and drug safety processes. These topics were volunteered by Gemini when I had a Q&A session with it about GDPR. I have brought some drug safety context to the basic concepts.

Data Minimization

Data minimization means collecting and processing only the necessary personal data for legitimate purposes. Data minimization is one point to consider when drafting the safety management plan for a clinical study.

If you manage a patient support program, risk minimization measures or post-authorization safety study, how do you ensure that the data collection does not include unnecessary data points?

Data Security

The broad topic of data security can mean anything from having locks in the office doors and using a password in your computer to building complex safety measures to the software developed for drug safety management.

Gemini put it nicely by describing data security to be an effort to implement security measures to protect patient data from unauthorized access, use, disclosure, disruption, modification, or destruction.

Data Anonymization

Where possible, anonymizing patient data, in other words removing personally identifiable information (PII) so that individuals cannot be identified, should be performed to minimize privacy risks.

Data Pseudonymization

Where possible, anonymizing patient data, in other words removing personally identifiable information (PII) so that individuals cannot be identified, should be performed to minimize privacy risks.

Data Aggregation

Data Masking

Hiding certain parts of the original data to protect sensitive information while retaining enough detail for processing is called data masking.

This process is useful in sharing datasets with third parties for analysis without revealing confidential information.

Transparency and Consent

Compliance with Regulations

As the UN data shows, there are almost as many legislations related to data privacy as there are countries in the world.

We’ll take a look at a couple of the more famous ones, GDPR and HIPAA.

What is GDPR?

The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection, processing, and storage of personal data of individuals within the European Union (EU) and the European Economic Area (EEA). 

GDPR is enacted by the EU to safeguard personal information and enhance individual rights concerning data processing activities. GDPR replaced the Data Protection Directive 95/46/EC, aiming to harmonize data privacy laws across Europe and reshape how organizations handle personal data.  

In 2018, data protection authorities across Europe began actively enforcing the GDPR, issuing warnings and fines to companies that were not compliant. Individuals became more aware of their rights under the GDPR, such as the “right to be forgotten” and the right to access their personal data. The right to be forgotten was already established in the EU before GDPR, but GDPR made it something everyone knows about. The GDPR had a ripple effect globally, influencing data protection laws and regulations in other countries.

In 2019, GDPR was still a high priority topic in many organizations. EU Data Protection Authorities (DPAs) were becoming more established and experienced in dealing with GDPR issues. Companies continued to adapt and refine their data practices to stay compliant with the GDPR. By this time most people involved in organizations that would in any way keep records of someone’s personal information had probably heard of this abbreviation quite a bit.

These two years are also remembered as a time when organizations were hiring lawyers and consults as “GDPR experts” and many organizations were busy implementing new and improved processes. Every process had to be evaluated for potential data privacy issues. In general, a lot of time and effort went into GDPR during those days. Now, 6 – 7 years later it seems that we have mainly moved on to other things, but simultaneously GDPR and data protection have become part of our everyday activities.

Who Should Follow GDPR?

GDPR applies to companies based in the EU but also to non-EU companies that process the data of EU residents (e.g. studies conducted in the EU or with the personal information of EU residents). GDPR applies to any organization, regardless of location, that processes personal data of individuals residing in the EU. This includes:

• data controllers – entities that determine the purposes and means of processing personal data
• data processors – entities that process data on behalf of controllers. 

The regulation defines personal data as any information relating to an identified or identifiable individual, encompassing direct identifiers like names and indirect identifiers such as online identifiers. 

When it comes to the pharmaceutical industry, this means companies that are conducting research in the EU, or the study data is processed in the EU, the product is authorized in the EU or for example the drug safety activities are delegated to a company located in the EU. There are other types of scenarios where GDPR is applicable, but these are the main scenarios.

Key Principles of GDPR

The regulation under GDPR is built upon seven key principles that are a variation of the five data privacy principles listed above.

The second and third points about limitation and minimization, along with the points five and six, are probably the most well-known to the general public. 

The fourth point about accuracy is almost like it was written by a group of people who are annoyed that their colleagues forget to update their contact details or holiday calendar and the first. The last point seems to be just saying “follow this law because we can check if you follow the law and if you don’t, you’ll be punished”.

Data security and confidentiality are no-brainer types of topics in this day-and-age, but surprisingly data integrity has been one of the main topics in some of our pharmacovigilance audits. Data integrity is one of the key topics of GMP and GCP but a similar level of data quality is important in all areas of drug life cycle management.

Drug safety processes have a clear purpose to process health data about the patient using the medicinal products. In practice, data minimization is not always followed, for example in patient support programs (PSP) the person collecting the data can write down everything the patient tells them with unnecessary details in the narrative. 

Many pharmaceutical companies also perform voluntary collection of safety reports through online forms on their website which might lead to excessive personal data to be collected. This data is voluntarily sent by the patient, but it puts the safety team in a pinch as they should be preserving the source data of the case, but at the same time they should be reporting to authorities only specific personal information following E2B R3 data fields and some national or regional parameters of the standard. This can often lead to a situation where resources are wasted in blinding the source data, if suitable AI tools are not in use. And if an AI tool is used for blinding personal data, you can be sure there will be questions about it in the next audit.

Rights of Individuals According to GDPR

It can be safely assumed that the rights of individuals are quite well known to the general public in the EU, at least to those people who were mentioned above and were involved in the GDPR push of 2018. Whether the rights are included in the education of younger generations and how well they are able to absorb them is unclear.

Also, while it has been mentioned that GDPR has inspired other countries to implement similar rules, are the people and companies outside of the EU aware of the rights and what does that mean in the environment where anyone in the EU can easily start using a system or a tool that collects data about them, but the data is stored somewhere outside of the EU and processed by people who might have never heard of GDPR?

There have been several cases and articles about people asking to access their data and the stories about hundreds and thousands of documents they received from the large tech companies.

I have not personally heard of cases where individuals would have contacted the marketing authorization holder or the national competent authority and requested to access their data or to have their data deleted, but I would assume this kind of situation happened as well. All of the rights of individuals could be in one way or another applicable to adverse event reports.

GDPR and Penalties

When we look at fines that come with the GDPR regulation, it is not only the absolute amounts we read about in the media, but also the bigger picture what is interesting to think about. Let’s elaborate on that a bit more in this chapter.

Penalties for not Following GDPR

Penalties are another aspect of the GDPR that is well-known. Non-compliance with GDPR can lead to significant fines that can be up to €20 million or 4% of the company’s global annual revenue, whichever is higher. 

For example, in August 2024, Uber was fined €290 million by the Dutch Data Protection Authority, Autoriteit Persoonsgegevens, for improperly transferring European driver data to the United States without adequate safeguards.

Penalties of the Large Technology Companies Distort the Data

The largest GDPR fine to date was levied against Meta in 2023. The Irish Data Protection Commission issued a record-breaking €1.2 billion fine due to the company’s transfer of personal data of European users to the United States without adequate data protection mechanisms. The Irish authority fined Meta yet again in December 2024 for “Insufficient technical and organisational measures to ensure information security”.

The fines are large, but they are also so frequent that most of us are probably desensitized to the breaches that are being committed by these kinds of big tech companies.

List of fines against Meta tracked in enforcementtracker.com totalling around €2.5 billion

According to the GDPR Enforcement Tracker, as of December 2024, a total of 2,219 fines have been recorded, amounting to approximately €5.6 billion.

The Top 10 largest GDPR fines are:

Some rough estimate math follows. The total amount of fines for the Top 10 is €4.5 billion – meaning that the above listed 5 big tech companies amount to about 80% of the GDPR fines ever. 

The rest €1.1 billion is divided across roughly 2,000 companies, on average that would be €600,000. Of course the individual amounts for some of the companies are much smaller and for some larger, and thus the numbers vary from a few hundred euros to millions. For example in November 2024, just before the latest large Meta fine, only a total of € 1,000 worth of fines was tracked in GDPR Enforcement Tracker.

The truly big number here is a positive one, and that is the number of organizations who have not received fines or the fines have not been tracked to GDPR Enforcement Tracker, which is so large that it is difficult to estimate but is most likely around 99.9% of companies that fall under GDPR. This is the number of organizations that GDPR applies to any organization, regardless of location, that processes personal data of individuals residing in the EU.

To give some context on the number, as of December 31, 2016, there were approximately 16.8 million limited liability companies (LLCs) across the EU. These LLCs accounted for about 80% of the estimated 24 million companies registered in the EU at that time. As of 2024, the United States had approximately 33.2 million businesses and about 2 million non-profit organizations. So we could guess that there could theoretically be for example 10 million to 100 million organizations in the world that fall under the jurisdiction of GDPR. In this case the part of these organizations that have received fines is about 0.02% to 0.2%. 

Have the other 99.8% or 99.98% organizations followed GDPR better or have they just fallen below the radar of the authorities?

We could say that what matters is not the fines, but that the organizations and individuals realize there are data privacy rules that should be followed and rights that can be exercised.

On the other hand, looking at the list of companies in the Top 10 list, and the amount of fines they have received, one could also doubt if the threat of receiving fines is sufficient. The penalty amounts are large for some, but they are not large for companies like Google, Meta and Amazon. Basically they are just part of their operating costs.

And then there’s also the question if they ever end up paying the fines. In the past weeks, the politics in the US, where these companies are headquartered, have shifted towards “America first” thinking and for example Meta has made moves that suggest that they are planning to use the new president of the US and his politics as a shield against EU legislation.

Penalties for Health Care Organizations

There are also GDPR fines given to healthcare organizations. For example one of the largest fines was to an electronic medical records software provider Dedalus. In Finland and Sweden there have been large fines against companies that provide helplines for people with health problems.

There have also been fines against pharmacies, online stores and especially against individual hospitals and pharmacies who have collected customer data incorrectly or have not protected the collected patient information sufficiently. One medical device company was fined for not reporting data breach of employee personal information quickly enough.

What is HIPAA?

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. So unlike GDPR, it’s purely focused on health data. HIPAA is a federal law in the United States that sets the national standard for protecting sensitive patient health information from being disclosed without the patient’s consent or knowledge.

Protected Health Information (PHI) includes any information that can be used to identify an individual and relates to their past, present, or future physical or mental health condition, the provision of health care to the individual, or the payment for health care.

Organizations (covered entities) that must comply with HIPAA include health plans, healthcare providers (doctors, hospitals, etc.), and healthcare clearinghouses. Business Associates are third-party organizations that handle PHI on behalf of the organizations and they are also bound by HIPAA’s rules.

HIPAA is a complex law, and organizations need to take steps to ensure they are in compliance or, as with GDPR, they may be fined. Failure to comply can result in significant fines and other penalties.

The penalties are categorized in Tiers and the maximum fine is around $2 million per violation. So the maximum amount is much lower than for GDPR fines, and also the number of announced HIPAA penalties is very low compared to the GDPR penalties. However, it should be noted again that these are all penalties for healthcare organizations.

The Need for Global Data Privacy Framework

Let’s look at the Uber GDPR fine case mentioned above in the section about penalties. Uber received the GDPR fines for transferring their EU data to the US. Why is that?

The invalidation of these past agreements and the fact there is currently no agreement in place, highlight the ongoing challenges and complexities of establishing a robust and legally sound framework for data transfer between the EU and the US, particularly given the differing approaches to data protection and privacy in both jurisdictions.

In practice, this makes the situation difficult for pharmaceutical companies that operate both in the US and the EU and follow the legislation for having one global safety database, for example. There isn’t one recognized way how the data could be transferred from one region to another, not only between US and EU, but EU and many countries outside of EU.

This includes large portions of the pharmaceutical companies and medical device manufacturers. How do you even operate a global pharmacovigilance system if you need to be worried about being fined if you transfer safety data from different countries to one global safety database?

Toll of Data Privacy in Practice

Data privacy activities can have a significant toll on day-to-day business operations. As mentioned above, this can be for example discussions whether personal IDs of employees can be sent via email or for example what data can be processed by an AI tool and what not.

Pharmaceutical industry is slightly different from many other industries because data privacy, and confidentiality are a big part of the product life cycle starting from the first safety studies with patients all the way to the practical use of products by patients who might be reporting adverse events or they might be part of risk minimization measures or patient support program.

One of the obvious “tolls” is the increased costs caused by implementing and maintaining data privacy programs. The increased cost is usually a combination of several things including additional personnel, additional requirements on technology (software), legal fees, for example the fines mentioned above, and operational inefficiencies in general.

Data privacy can also reduce flexibility by limiting the data collection and processing. Data privacy can add challenges to development of personalized medicine. Data collection and processing limitations can be a blocker for medical devices that would collect data about the user and use it to detect and alarm about potential health risks and diseases.

In ideal pharmacovigilance world, the adverse event reporting would happen automatically from a smart device, such as a watch or headphones, that detect that after starting a specific treatment, the vital signs monitored by the smart device have changed in a specific way. 

While data privacy activities can impose costs and challenges for medical device and medicinal product companies, they are essential in today’s digital world. It’s important to note that there are long-term benefits for good data privacy, such as increased customer trust, improved brand reputation, and reduced legal risks.

As mentioned, in pharmacovigilance, good data privacy practices are part of the baseline requirements. There are also claims that companies that prioritize data privacy can differentiate themselves in the market and gain a competitive edge.

The Correct Level of Data Protection

There are many people who take data privacy and data protection very seriously and in pharmacovigilance it is a constant discussion point. Who should be trained to GDPR SOP? Who is processing personal information? Should we perform data protection impact assessment for a new process? These are the types of questions that come up daily at Tepsivo.

Attitudes towards data privacy vary significantly across different groups of people. Older generations are generally more concerned about data privacy and may be less comfortable sharing personal information online. Younger generations may be more accepting of data sharing in exchange for personalized services and convenient experiences, but are increasingly aware of privacy concerns. 

Tech-savvy individuals may have a better understanding of data privacy issues and take more proactive steps to protect their data (e.g., using privacy settings, strong passwords), while less tech-savvy individuals may be less aware of privacy risks and have less control over their data. Individuals with higher levels of education may have a better understanding of data privacy issues and be more likely to take steps to protect their data.

Different cultures have varying levels of trust in institutions and varying expectations regarding data privacy. People in regions with strong data protection laws, like the EU, may be more aware of their privacy rights and more likely to exercise them.

Individuals who have experienced data breaches are more likely to be concerned about data privacy. Negative experiences with companies mishandling personal data can lead to increased distrust and a greater focus on privacy. 

Political beliefs can influence attitudes towards data privacy, particularly regarding government surveillance and data collection.

Today people are blinding and anonymizing data just in case even if it would not necessarily be required. These people have an idea of data privacy and they are afraid to do something that would be against the law. Almost all agreements have data privacy clauses in place and the forms at least in the EU have a “GDPR boilerplate text” and tick box at the end of the form, somewhere close to one or two of the tick boxes that you have to leave unchecked to avoid spam. 

In the pharmacovigilance space, there are often questions asked in due diligence and audits about GDPR and these questions do often lead to some audit findings as well, because it seems that there’s always something more you could do to keep the data even more secure, to collect even less data, separate the data, encrypt it etc. 

Personally, I have a strong feeling that most of these questions are asked just to be sure, to avoid any possible problems. Taking the safest route is a good principle and many companies in the pharmaceutical industry do follow it. But it also leads to a lot of administrative burden, which we are always wary of.

Conclusion

Data privacy is absolutely critical in the context of drug safety. Patients all around the world are increasingly wary of how their data is used. Regardless of the specific location, certain data privacy principles like data minimization, data security, anonymization, transparency, and consent should be followed.

HIPAA and GDPR are cornerstones of data protection, continuing to evolve and influence global data privacy standards and affect the everyday discussions in pharmacovigilance organizations. 

GDPR has significantly influenced global data protection standards, inspiring similar regulations in countries like Brazil (LGPD), Japan, and South Korea. GDPR’s emphasis on individual rights and data security continues to shape how organizations worldwide approach data privacy. The complexities of transferring data between regions, especially between the EU and the US, should be taken into account.

GDPR also has had a significant impact on how pharmaceutical companies collect, store, and use personal data worldwide. Pharmaceutical companies and medical device organizations should have processes in place that enable GDPR’s key principles: lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality (security); and accountability.

One of the biggest questions in pharmacovigilance, as in other areas of business, is the data privacy considerations with development and deployment of artificial intelligence (AI) technologies. Our experience has been that questions around data privacy and protection will be closely tied to the questions about AI.

Integrating privacy into the design and development of new technologies has its toll in the day-to-day but it can lead to innovative solutions that protect user data while still delivering valuable services. Data privacy is no longer just a compliance issue; it’s a strategic imperative for businesses. By prioritizing data privacy, companies can build trust, mitigate risks, and unlock new opportunities in the evolving technological landscape.

Data privacy is paramount in pharmacovigilance. GDPR and HIPAA have set important standards, but the evolving landscape of global regulations and emerging technologies like AI require constant vigilance. By prioritizing data privacy, organizations can build trust, reduce risk, and ensure ethical handling of sensitive patient information.