The EU General Data Protection Regulation (GDPR) takes effect on May 25, 2018. The regulation requires all public authorities and private businesses, including Life Sciences, to deploy sufficient IT security for the protection of personal data processed in the organization. Specifically, it requires an assessment of the organization's security level in relation to privacy. The purpose of the assessment is to identify specific related risks. On this basis, IT security controls shall be designed and implemented in the right places in the organization.
To assess the risks associated with processing personal information, it will be necessary to map all of the relevant business processes, data types, systems, and external data providers. This includes processes pertaining to drug development, regulatory procedures, drug safety, manufacturing, and sales & marketing. The actual assessment of the organization's data protection level will be carried out only after these data flows have been identified.
NNIT utilizes the tool PRIME (Privacy
Evaluation). PRIME maps the data flows, provides an overview of where the most sensitive information is located logically and physically, and documents how well they are protected in processes and systems. PRIME is tailored to the new requirements and digitalization's new threats to privacy.
NNIT's methodology for EU GDPR is organized in five distinct phases:
Phase 1: Planning of Risk Analysis
Use of PRIME is based on interviews with representatives from the line of business and IT. The first phase of our methodology focuses on defining the project scope and identifying and setting up meetings with relevant employees within the organization. The planning initiatives will take special needs within life sciences into account, e.g. requirements stipulated by GCP.
Phase 2: Risk Analysis
PRIME is based on the international security standards ISO 27005 and ISO 29100 and includes best practice methodology for risk analysis in the field of information security and protection of private information. As part of the risk analysis, we assess the risk of loss of data to unauthorized persons and the risk that data is changed wrongfully or lost as a result of IT security breaches.
Our methodology also includes a vulnerability assessment of the processes and systems in which personal data is processed – what checks have already been implemented and which ones are missing?
Based on the risk analysis observations, and the established focus areas, a plan is prepared on how the identified risks can be mitigated. The plan may include the following control areas:
Phase 3: Specific Proposals for Solutions
For every control area where the risk analysis has found one or more issues, specific implementation solution proposal(s) are prepared with input from the customer, taking life science specific needs into consideration, including how changes might affect GxP systems. Solution proposals are prepared in collaboration with our clients and partners, which includes law firms and providers of technical solutions for access control, logging, and encryption. The goal is to correctly balance new behaviours around data and the use of existing new technology.
Phase 4-5: Implementation and Maintenance
NNIT has been working with Life Sciences consultancy and IT implementation for more than a decade, and we will be able to assist Life Sciences companies in implementing the solutions and legal improvements necessary to meet the EU GDPR requirements.
Please contact Martin Rother Breyen on
MIRP@NNIT.COM if you have any questions.