Why should small and medium size Pharmaceutical and Biotech Companies outsource their Data Protection Officer?

The EU General Data Protection Regulation will become effective on the 25th of May 2018.

As outlined below the Data Protection Officer (DPO) position will most likely be a part time position in small and medium size Pharmaceutical and Biotech Companies. The DPO position will not be in line with the company’s core capabilities and it could be difficult to find a person with the right level of expert knowledge and avoid conflict of interest when the DPO is asked to perform other tasks as well. Furthermore, a scalable setup could probably better accommodate for the requests coming from external parties and authorities.

On that basis it is Pharma IT’s recommendation that small and medium size Pharmaceutical and Biotech Companies outsource their Data Protection Officer.

As most Pharmaceutical and Biotech Companies are involved in clinical trials where personal data concerning health is processed the appointment of a Data Protection Officer is a requirement. Personal health data could also be processed in other processes in the company as well and regardless of where this happens a Data Protection Officer is a requirement[1]. Only if the level of data processing is small the appointment of a Data Protection Officer will not be a madatory. For companies only running clinical trials in phase 1 and 2 an individual assessment should be made, for companies running trials in phase 3 or later the appointment of a DPO will most likely always be required.

It should be noted that even though the clinical trial is conducted by a 3rd party/Clinical Research Organization (CRO) – a data processer – it is still the initiator of the clinical trial – the data controller –  that must ensure that a Data Protection Officer is appointed.

According to the regulation the Data Protection Officer shall be designated based on professional qualities and should have expert knowledge of data protection law and practices. Furthermore, the Data Protection Officer must perform the following tasks:

  • Advise on processing of data
  • Monitor compliance via awareness-raising, training and audits
  • Advise regarding “Data protection impact assessment”
  • Cooperate with supervisory authority
  • Contact point for the supervisory authority
  • Contact point for Data subjects

The data protection officer may also fulfil other tasks and duties if there is no conflict of interests.

In small and medium size companies the area of data security and data protection is seldom a full-time position due to the size and complexity of the company. When offering a security and data protection position it will be hard to attract the right level of expertise and knowledge. Should the company offer a full time position the responsible person will have to perform other tasks which can create a conflict of interest in the work being performed, especially in respect to monitoring and performing audits. Furthermore, level of work related to cooperating with authorities, number of contacts from data subjects is very uncertain and therefore a scalable setup might be of preference.

Pharma IT can provide Data Protection Officer (DPO) as a service and Pharma IT can provide a scalable team with expert knowledge within Pharma and Biotech processes to handle the various requests that might come from authorities and data subjects.

Our  DPO’s are certified in EU General Data Protection Regulation, they are certified in Certified Information Privacy Professional/Europe (CIPP/E)  and Certified Information Privacy Manager (CIPM) and they have relevant experience from working with security, personal data and compliance within the Pharmaceutical and Biotech industry.

Please contact us if you want to know more.

NB: The picture by Unknown Author is licensed under CC BY