National and state governments are enacting laws to protect personal identifiable information (PII) from use without data subjects’ consent. Additionally, federal regulations are now in place to safeguard protected health information (PHI). A few examples of such laws active today are the General Data Protection Regulation by the European Union, the California Consumer Privacy Act of 2018, and the Massachusetts Data Protection Act.

These regulations protect and empower people with rights to data privacy, including the:

  • Right to know the type and source of information collected.
  • Right to demand reasons for data collection and explanation for intended uses of the data.
  • Right to access or request copies of their personal data.
  • Right to rectify data in case incorrect data is maintained.
  • Right to be forgotten by asking for the deletion of their personal information.
  • Right to opt-out of the sale of their sensitive personal information.
  • Right to exercise remedies to address data breach to unauthorized parties.
Mike Ciaccio is a senior consultant who specializes in Commercial and Medical Affairs IT systems. He has worked with a variety of small and large life sciences companies to implement critical systems and set up innovative IT-enabled business processes.
Personal Information Protection iconography overlaid on fingers typing at keyboard

Significance for Biopharmaceutical Companies

Biopharmaceutical companies of all sizes collect both PII and PHI from customers, vendors, patients, and current, former, and prospective employees. From a business perspective, these mandates provide guidelines to implement policies and procedures associated with consumer data management. They also outline mechanisms to ensure ongoing compliance and governance of data protection and set out directions on how to collect, store, manage, and share data with third parties.

Failure to comply with data privacy regulations can lead to statutory repercussions, such as fines and penalties, and even litigation. Such consequences negatively impact the company’s brand/reputation among patients and industry peers. Moreover, unauthorized disclosure of patient data can also lead to:

  • Delay in clinical trials and regulatory approvals in situations where regulatory authorities order additional government investigations.
  • Interruption or disruption in research and development activities due to litigation against the company.
  • Loss of trust between the company and patients, physicians, and business partners (i.e., pharma company and contract clinical research organization).

On the contrary, having safeguards in place to identify and protect PII and PHI can result in benefits beyond regulatory compliance. It can trigger improvements in business processes and data management practices. It can help streamline the flow of data within the organization and increase transparency. This in turn makes reporting information to senior management easier and supports faster decision-making. Additionally, with greater awareness of security vulnerabilities, a company can develop appropriate risk mitigation strategies as needed.

What You Should Do

Given the significance of PII and PHI data to biopharmaceutical companies, it is paramount to properly handle and safeguard data. A few considerations to keep in mind are:

Develop and publish privacy policies and procedures

Encourage collaboration between the IT, legal and compliance teams to align policies with current regulations in regions where the company operates. Management should take corrective actions to address any gaps. The policies should be clear and self-explanatory, and should explicitly call out the rights of the data subjects. Revisit and revise procedures periodically to stay current as regulations evolve.

Create a system and data inventory

Using these policies as a guidepost, conduct a data inventory to identify where your current digital ecosystem is collecting PII and PHI. Then develop and implement safeguards to protect the data from unauthorized access.

Invest in training employees

Employees with access to data platforms should understand their responsibilities for protecting PII and PHI. When aware of the consequences of policy violations, employees who handle data are less likely to deviate from it. Update employees at regular intervals with information regarding new security risks and any vulnerabilities identified.

Build a management review

Establish an internal review system to maintain compliance with security practices over time. Also, schedule periodic audits to test internal IT controls and data access restrictions, and to identify data breaches.

Considered together, these recommendations will help management establish a culture that supports data privacy. They build transparency, accountability, and execution of data protection strategies. Furthermore, they facilitate appropriate sharing of information with partners throughout the supply chain ecosystem.

Additionally, biopharmaceutical companies should be aware of the Health Insurance Portability and Accountability Act (HIPAA) governing PHI. HIPAA, unlike the legislations mentioned earlier, does not directly apply to the pharmaceutical industry. However, such companies are indirectly impacted in their interactions with providers, payors, patients, and others that have HIPAA compliance obligations. Hence, it still makes good business sense to enact data privacy protections to ensure that their HIPAA-covered partners meet their data obligations. It also warrants proper use of PHI within the organization to protect patient privacy.


  • New data privacy regulations will continue being enacted and existing laws will evolve over time. Every company is responsible to stay up-to-date and compliant with the laws.
  • All biopharmaceutical companies, whether large or small, must plan for and implement comprehensive data privacy controls, and establish mechanisms to govern them.
  • Similar to other critical compliance requirements in the industry, biopharma companies should establish and maintain appropriate policies and procedures, identify the PII/PHI data in their possession, invest in training employees, and build a culture that promotes and supports protection of personal information.