HealthXL worked with Anatomy Health, patient support specialists, to interview a global group of experts across data, IT, security and life sciences about their views on the impact of General Data Protection Regulation (GDPR) on patient engagement, digital health and business strategy
Healthcare has always held patient privacy and patient data in high regard. Regulations and governing bodies demand the highest quality security so that sensitive information does not compromise patient care. GDPR can be viewed as simply the next iteration of the regulatory framework that healthcare companies are already well-versed in adhering to.
However, it’s also important to acknowledge that GDPR is different. It places a greater onus on companies to actively engage with the people whose data they are processing. There has been some trepidation around whether the initiative will impact the agility of digital start-ups or the innovation partnerships that larger companies are seeking out. HealthXL engaged with industry experts to understand how healthcare businesses are viewing the enactment of GDPR today and into the future.
- Jon Spinage – director of technology, Vitaccess
- Saif Abed – co-founder, Abed Graham
- Vijay Takanti – senior vice president, product development, Exostar
- Dave Pinnington – co-founder, Be Remarkable
GDPR is a Cost of Doing Business
Our panel participants emphasize that this is just the beginning – GDPR’s impact on organisations, their systems, processes and working relationship with data is unlikely to be realised straight away.
Saif Abed, co-founder of the health IT clinical consultancy, Abed Graham, believes that the ease and speed of GDPR adoption is all down to the organisation’s status and ability to change. “If we are talking about a larger organisation with established and ingrained (non-compliant) processes, then they will be harder to change. But a start up can adapt accordingly and integrate GDPR as part of its processes”.
Jon Spinage, CTO at Vitaccess, agrees. As a three-year-old start-up, Vitaccess has been aware of GDPR and its requirements throughout its growth and has embraced GDPR as part of its business strategy. “With no built-up legacy to change, we’ve had the advantage of incorporating GDPR from the start. Whilst there’s been a lot to consider, we’ve seen it as a good thing, it’s made all of us far more focussed on our PII data and to ensure that we are doing everything with rigour.”
Beyond IT: Embedding GDPR Across the Organisation
There is also agreement that GDPR shouldn’t be seen as simply an IT challenge. Alongside technology and cyber security for organisations, there’s a need to understand the implications of GDPR on business and brand strategy.
Dave Pinnington is a marketing and GDPR consultant for the life sciences industry, with a focus on sales and marketing. “There's a lack of understanding around the full extent of GDPR impact and what will come into focus. GDPR will demand that there is a clear business case not just for now, but also for future use of data.”
Pinnington continues, “this will require marketers to think about and plan for why they are collecting so much data and what they intend to do with it. Fundamentally, how businesses use data to deliver personalised, segmented strategies all needs to fall within GDPR.”
GDPR is About Getting Your House In Order...For Now
So how is GDPR being implemented across organisations at the moment? Our panel remarked that for most, it is a tick box exercise to ensure compliance and avoid repercussions.
With the global nature of healthcare and innovation, data capture and processing, GDPR is demanding that countries outside the EU are taking as much notice as those within the Member States.
Vijay Takanti, senior vice president, product development for Exostar, notes that GDPR in the life sciences category is placing greater demands on US-based companies who operate in Europe. “The US has less than 40% market share of the industry, so ensuring compliance with GDPR will be critical. Privacy policies will now need to meet both HIPAA and GDPR standards.”
As of now, no ‘good’ examples of GDPR implementation have been seen. “Until now, we’ve not seen any indication of change except compliance paperwork for organisations, with many companies already complying with laws that were in place in EU,” says Takanti.
Whilst global platforms such as Veeva and Microsoft Azure have met GDPR requirements and are supporting their customers with compliance, the responsibility still sits with the customer using the platform to ensure that the data within the platform meets GDPR standards. Pinnington points out that for many pharmaceutical companies, CRM data that sits within their systems is often purchased from third-party suppliers. Raising the question, “does your company have the customer’s permission to hold and use this data? The individual permissions from the third-party list are not transferable to the pharma company. Again, companies will need to map the business case, data use and seek the relevant permissions for data use.”
Patients are not any wiser on changes to their rights
As companies of all sizes wrestle with the needs of compliance and audit, it appears no one has been looking at the other side of this equation – the user, or in the world of healthcare, the patient. Do patients know what’s coming, and what it means for them?
The answer across our panel is a resounding no. “It would be exceptional to find a patient who is fully aware of GDPR now,” explains Spinage. “People aren’t familiar with what’s going on and few have taken the opportunity to communicate with patients on the changes.”
Abed notes, “we’ve seen next to no active engagement of patients on GDPR but anticipate that this will be like a bell curve of patient motivation and self-education. There’s a very small proportion (of patients) who are active in their data management through things like social media and they will become more aware of data processing, but patients are not aware of their new powers (when it comes to GDPR).”
Clarity and Transparency are Very Complicated
One of the many fallouts from the Facebook/Cambridge Analytica scandal is that people are questioning if their personal data is now in someone else’s hands and being used for activities they don’t know about.
The timing of the Facebook incident and the launch of GDPR is not lost on our panel. The work that Vitaccess has done has only highlighted to them the challenges and risks of engaging, and potentially alienating patients, in the process of being transparent.
“Engaging with patients about their rights and informing them about their data and its uses will be a challenge for many companies. Taking the time to explain in a simple, easy to understand way is a must – there’s no way around it, and it may be difficult for some patients to grasp the information straightaway,” states Spinage.
A Point of Differentiation?
Whilst pre-May 25 may be seen as a tick box exercise, those who use GDPR as a point of differentiation will very quickly set themselves ahead of the pack. Pinnington believes “GDPR is an opportunity to change processes around customer centricity and digital transformation and ultimately is a driver to optimise business innovation. Businesses, through legal experts, need to stop looking to reduce risk and instead look to optimise, refine approach, plan effectively and challenge the business case.”
Jon Spinage echoes the sentiment, stating, “GDPR is going to support putting patients more in control of the data they are providing, helping to better protect that data, increase the visibility of how, where and why that data is being used. If people feel they have more control, they will feel safer and better protected, which will enable sharing of valuable data for innovation.”
Vijay Takanti shares, “in dealing with consumer data, US or UK, if you as an organisation take the stance of ‘I will protect data with highest level of requirements’ this becomes a differentiator, making you a much better choice for innovation as you guarantee to protect the data.”
The opportunities in the life sciences industry are vast, but they all need to be planned for says Pinnington.* “So many areas need to be looked at, such as international congresses, market access, sales, clinical trials and patient support programmes. Companies will need to be much more customer-centric, having a clear business purpose and demonstrable plan for how they execute. It means there needs to be an alignment of customer value for every business purpose.”*
Seeing GDPR as an Opportunity
There is consensus from the panel that GDPR should be more than a checklist exercise. Organisations have an opportunity to embed patient rights into their DNA and use it as a real point of differentiation.
Much more needs to be done to engage and inform patients to ensure transparency, and more importantly, continued collaboration to share data that will drive innovation within health and care. With data serving as such a critical component to creating health and care change of the future, it’s imperative that this new regulation is viewed as part of the fabric of business, rather than an obstacle.
Andrew Murphy, Director at HealthXL summarizes that given the focus on a race to comply by the date of introduction, the spectre of drastic consequences for non-compliance and the general lack of knowledge of the detail involved, many commentators have been comparing GDPR to the Y2K readiness at the turn of the millenium. "I think this really misses the point – the date of May 25th does not mark a regulatory ‘blip’ we must overcome, but the start of an entirely new paradigm on how privacy, data and consent are managed. Per our panel’s commentary, what starts as a race to compliance will endure for years to come and those that build it into a competitive advantage may well reap a dividend we can’t even foresee at present. The impact that GDPR will have on attitudes, on trust in institutions, self management of health records will only be evident in the coming years, but I wouldn’t be surprised to see us look back to 2018 as a major turning point in the data industry.”