You may or may not have heard of GDPR, a new legislation intended to strengthen and unify data protection for all individuals. We’ve put together a brief summary of how this will affect the healthcare communications industry and what you need to do to prepare.
What is GDPR?
The EU’s General Data Protection Regulation or GDPR is a new piece of European data protection legislation which includes a series of new rules governing marketing covering both B2B and B2C communications data and will have an impact on the practices companies use to handle data.
The new law will come into force on 25th May 2018 and is something that all healthcare companies should be preparing for now. Communications departments and companies need to be aware of good data management practice which may include case study data, media contacts, email marketing lists, stakeholder lists and photography databases as well as all personal data you hold about employees, suppliers, clinical trial subjects and consumers.
What are the first steps towards compliance?
Companies need to ensure they have a register of all personal data held by the organisation. This register needs to identify which jurisdiction the data is held in, why the company is holding the data, how long the data will be held for, and how the company will either permanently delete the data or provide a full and correct set of all records held on any individual if requested.
What types of personal data must companies manage and protect?
In healthcare communications, this could vary from company to company and most are advised that as there are still some grey areas to seek legal advice as there is no ‘one size fits all’. Healthcare companies typically hold a vast amount of personal data, from employee data to that of suppliers and consumers, all of which must be protected including:
How will this affect you?
As a healthcare communications professional, you might rely on unsolicited emails to journalists to secure coverage or interviews, for example if you contact a journalist for the first time via email with a press release, the content of that email could constitute ‘marketing’ rather than a ‘service’ or information email. The journalist could demand to know where you got their contact information from and proof that they consented to receiving marketing material from you. However, for many organisations, a record of correspondence with a journalist could also constitute consent to receive further messages. It’s not just media relations but you will also need to consider how much data you store on individuals from case studies to questionnaires to presentations – all of which are relevant in your day to day role.
Communications departments will need to make all data ‘portable’. Which basically means if someone asks for a copy of all the data you hold on them, you’ll have to provide it. Also, at any point you can request for your data to be deleted. The other thing to note in this industry however is that liability could fall on media database companies.
What if your company doesn’t comply?
A fine for breaching GDPR is 4% of global revenue or €20 million, whichever amount is bigger. Ensuring your organisation complies with the GDPR shows a good level of corporate governance and will also reduce the risk of legal action from individuals whose personal data you hold.
What are the next steps?
There are many online courses available on GDPR and there will be more news to come in the following months with further information
However, while there are still many grey areas, many companies will do well to invest in data management technology and seek legal advice.