4 GDPR mistakes pharma are making
Most people will have noticed a steady flow of communications from business asking you for the permission to use your data. Even the smallest company seems to be scared by GDPR and are trying to engage with you. Despite this, pharma companies haven't been as active.
As a consumer, GDPR is a wonderful thing as I now control my data. A number of data companies that have built their businesses creating lists to sell to other businesses to spam you with telephone calls and emails are under threat. These list builders may (or may not) have asked for my permission to collect my data and sell it to other people, but in order for the company buying my data to use it, they now require my opt-in permission. This is because, after the 25 May, permissions are no longer transferable between companies. In asking for my permission they must explain to me exactly why they need it and what data they will need. Cambridge Analytica has brought to the attention world the issue of personal data misuse, making people scrutinise how freely they give their access to their information.
My conversations with pharma companies have identified 4 key common mistakes that they are making which could have a major impact on how they commercially operate. 1. Business purpose and pharma sales/marketing.
Few pharmaceutical companies have mapped what personal data they hold and the key business processes where it is used. Core pharma sales and marketing activities utilise personal data, such as the creation of targeting lists/segmentation, call recording, inviting customers to meetings/congress and emailing newsletters. These may seem critical to the core of a pharmaceutical business but are not critical to the customer in using medicines. As a result, rather than needing the information to deliver an agreed service, the customer is required to give an opt-in permission. In gathering this permission, a company must create transparency on what data it holds and how it intends to use it. If business purposes are not fully mapped out it is likely that these permissions are not explicit enough.
Takeaway: Audit what data you have, how you use it and whether you have adequate permissions.
2. Reliance on 3rd party customer lists/data.
Most of pharma buys in customer lists and stores them in CRM systems. GDPR demands that a company that holds personal data must ensure that the data is accurate, have a specific business purpose and have the opt-in permission from the customer agreeing to the data permission to be used for those specific purposes. As permissions are not transferable, the pharma company buying customer lists need to demonstrate that they have collected customer permissions for their required business purposes. As GDPR requires a company to gather their own permissions, this raises doubt into the value of buying in customer data.
Takeaway: Review your data sources to understand their accuracy and ensure that your company has gathered permissions to use it in the way you want to. 3. Collection of permissions without plans.
With the rise of digital communications, pharma companies tried to gather permissions to engage their customers with email newsletters and information. But if you ask most pharma brand teams about the emails they want to send to customers and they have no clear plans. GDPR requires that data is held for a minimum amount of time in order to complete the customer opted-in business purpose. Collecting permissions because one day they may be needed is not acceptable. To justify your business purpose you need to demonstrate a clear plan. For communications, this should describe the content, the frequency and the value. Not having clear plan means that your business purpose is difficult to justify.
Takeaway: Create clear strategies and plans for each business purpose.
4. Legal teams are leading GDPR compliance.
A regular theme I have seen in pharma companies is the role of legal in trying to implement GDPR. Ask marketing or sales about GDPR and they often see it as the legal teams' responsibility to deal with while they continue to use customer personal data. As people working in the legal team don't understand the business activities they are failing to identify GDPR risk. The core marketing and sales processes that use personal need to be reviewed and if not compliant need to be changed to align to GDPR and optimise the business. Creating new ways of working in a large organisation requires significant time, effort and resources. Any GDPR breach could force a company to delete data and stop business critical processes.
Takeaway: Review GDPR from a business perspective. Identify key business activities that are not compliant and seek new models to achieve business objectives.
With a potential fine of 4% of global turnover, pharma can't afford to be complacent about GDPR. For further information feel free to contact me