Introduction
The introduction of the DPDPA, 2023 has brought in the opportunity for various sectors including the pharma companies to update their operational strategies. Pharmaceutical companies which manufacture their own products or even carry out contractual research organizations operating within India are required to change their structures. Companies must focus on managing personally identifiable information (PII) acquired from people, mainly their customer base. The DPDPA, 2023 (hereby referred to as Act) regulates the processing of digital personal data and recognizes individual’s right to privacy and protection of their data while underlying the necessities of processing and storing of sensitive data for purposes which are lawful. The DPDPA does not override any of the existing sectoral laws, but in turn supplements such laws hence making it convenient for companies to restructure according to the Act.
Data-Intensive Nature of the Pharmaceutical Sector
The pharmaceutical sector is one of the highly data-intensive and driven sectors in the economy. This data ecosystem sector mainly processes data related to patient health status and the delivery of the healthcare services regularly, collected from various databases. These databases are usually Electronic Health Records (EHRs), health data voluntarily provided by the patients and patient report outcomes, all of which are usually acquired from various devices, medical claims, medical bills, disease registries, observational studies, social media and patient powered research groups. Pharmaceutical companies, hence, generate and process a plethora of sensitive personal data. This makes them vulnerable to threatened privacy and protection in the forms of breaches, cyber-attacks, compliances, ethical downfalls and consumer trust.
Adjustments for Multinational Pharma Companies
Multinational pharma companies which are operating in India and are based out of the foreign nations would require to carry out certain modifications in their current data privacy programs. For such Indian MNC pharma companies which are operating overseas, an overall review of their current data privacy structure and data protection must be carried out according to Indian regulatory. Companies must further examine additional requirements under the Health Insurance Portability and Accountability Act (HIPAA), the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) and accordingly must make investments to ensure compliance with regulations.
Cause of Data Privacy Breaches in Pharmaceutical Industry
Insider threats like employees, contractors and business partners with excessive powers to access sensitive data which may unintentionally or deliberately compromise privacy. Such insider threats may crop from disgruntled parties, human error or insufficient training on such data privacy best practices. Third-party vendor risks which the companies are often vulnerable to, since they share confidential information with such vendors and partners throughout the drug development process. A breach at a third-party vendor’s hands can expose sensitive information such as research and development data, intellectual property or even sensitive patient or research subject data.
Next is the increasing adoption of cloud computation in the pharma industry which may lead to misconfigurations or inadequate access controls in the cloud environments which may lead to data exposure. Multi cloud environments which are vulnerable to breaches due to their complex nature and the potential of misconfiguration. Lastly, inadequate data security measures like the absence of data encryption, improper access control and unsecure storage practices can make sensitive data vulnerable to unauthorized access or theft. Additionally, any such lack in the training of the employee, incident response planning or fault in monitoring can lead to data breaches. Pharmaceutical companies should adopt various comprehensive strategies to mitigate such risks.
Impact of Data Privacy Violations
The impact of such data privacy violations can be catastrophic on pharma companies. Mainly it may lead to significant legal fees, regulatory fines, costs for remediation and potential revenue losses due to operational disruptions. Pharma companies must comply with data privacy regulations such as CCPA, DPDPA, HIPPA and the GDPR. For instance, under the CCPA, companies can be fined up to $7,500 per violation. While under GDPR fines can reach up to 20 million Euros or 4% of global annual revenue. Further, pharma companies may face lawsuits from patients, healthcare stakeholders and regulatory bodies for inadequate protection of their respective data. Such lawsuits may demand compensation for any such damages such as theft of identity, financial fraud or even physical harm from medical data that has been exposed or breached which violates trust and privacy. Under the DPDPA, any such breach of sensitive personal data may attract a fine up to Rupees 250 Crores.
Compliance with the DPDPA, 2023
Now the companies operating within India or with Indian interests must comply with the DPDPA, 2023. Firstly, the pharma company boards, and top management are required to get specialists on board to strategize, structure and manage data privacy and protection programs of the company; identify any such challenges and lacunae in compliance with the legislation and lastly approve the investments in technological aspects, controls and employees over the next period of 12 months. An empowered multi-functional team which comprises members from the legal, information technology, digital transformation, security, human resources and research and development, sales background would have to collaborate to satisfy secure and tag data.
Companies must identify and codify the roles and responsibilities of third parties with respect to the sharing of the data, which is imperative to avoid any such lack of compliance. Any such contractual agreements and non-disclosure agreements must be revisited and amended according to the DPDPA. Further the companies must implement consent management systems and their technical and functional administration would require to be updated for compliance. Lastly, pharmaceutical companies which fall under the category of Significant Data Fiduciaries as per the requirements under Section 10 (1) of the Act must appoint full-time consent managers and data protection officers as required by Section 10(2) of the DPDPA, 2023. The Act gives data principals the right to correct and erase their data. This would require companies to update their data management systems to either correct the inaccurate data, complete any such incomplete personal data or update the personal data as and when requested under Section 12 of the Act.
Conclusion
The introduction of the Digital Personal Data Protection Act, 2023 have compelled the Indian pharmaceutical companies to rigorously revise and reassess their data privacy strategies. Pharma companies must align their operations along with the new regulations to protect sensitive personal data in order to maintain compliance. Companies must address their insider threats, third-party risks and cloud vulnerabilities. Implementation of robust consent management systems and appointment of data protection will ensure adherence to the Act. Furthermore, revisiting contractual agreements and investing in comprehensive data security measures are pivotal steps. Overall, the DPDPA requires the companies to take multifaceted approach, integrating technological, organizational and legal changes to safeguard data privacy efficiently in the pharmaceutical sector.
