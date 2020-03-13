The ‘Privacy in Motion’ series by OneTrust DataGuidance captures the thought leading ideas from privacy professionals working across number of different industries. Highlighting sector-specific privacy laws in fields including finance, technology and healthcare.

We met with Jason Burns, EU Data Protection & Governance Lead at Bristol Myers Squibb in February 2020. Headquartered in New York City, Bristol Myers Squibb is an international pharmaceutical company that specialises in discovering, developing and delivering innovative medicines to patients with serious diseases. Jason talks at length about building and maintaining a globally compliant privacy program within the pharmaceutical industry, as well as discussing how emerging technologies can help facilitate privacy and data protection practices.

Maintaining A Global Privacy Program

Jason’s principles for maintaining a compliant privacy program at a global scale resonate beyond just the pharmaceutical industry. First, he stressed the importance of building the right team. These privacy team members and privacy champions must be able to communicate to the broader organisation in a way that is understandable and engaging. They need to possess the right characteristics as well as knowledge to connect with teams throughout the company.

“It’s the personality skills to be able to have those conversations and build those relationships. It’s worth much more than having a privacy program that’s just on paper only if you don’t have any support to carry it out.”

Jason points out that if the program is full of heavy, legal and regulatory language, it’s harder to get companywide buy-in. Instead, present it at a high-level where the information has a greater meaning to broader audience, from managers up to board level when necessary in an efficient way.

Anonymisation & Pseudonymisation

According to Jason, there is a general understanding that true anonymisation does not exist. Therefore, when “anonymising” data, it may still be within the GDPR’s regulatory reach, so it should be treated as such.

Jason notes that at times anonymisation also becomes confused with pseudonymisation, and in many cases it is easy to recover anonymised data to its original state due to the information that in contains.

“We are dealing with reasonably rare forms of cancer, and items like that. In a country for example, like where I’m from in Ireland, there might be two or three people that have that particular cancer. So, it’s easy enough to reidentify them.”

There is also a separation between patient data that, due to pharma-specific regulation, needs to be handle cautiously, and customer data such as vendors and healthcare professionals. Jason explains that technology is vital in managing this division, what data can and cannot be processed, and the data governance of where the data came from and what consents have been given.

