Life Science and GDPR. What to look for when complying with data protection?

General Data Protection Regulation (GDPR) implementation in the Life Science industry can be very challenging. Definition of personal data is broad, so in this business, you are storing and processing standard personal data like name or identification numbers and data about a person’s health, DNA sequence or physiological conditions. People must have knowledge of how and who is processing their data; they also have the right to edit, delete or export their data.

‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

– Definition of personal data from GDPR Law

Your company needs to be transparent to individuals whose data is processed. But you must also remember that Salesforce is processing this data during, for example, the administration process. You can check “Trust and Compliance Documentation” documents created by Salesforce to gain knowledge about all companies that are gaining access to your customer data and also information about data centre physical localisation. If you need a more legal document, a “DATA PROCESSING ADDENDUM” is ready for your legal team to analyse.
Any person has the right to be forgotten based on GDP guidelines. For example, if you store personal data in a Contact object, it is as easy as clicking one button, but when you store and use other personal data in custom objects, it can be challenging to find out which records should be deleted or adequately anonymised.
The best way to analyse where personal data is stored in an existing system is using SOSL queries, Object Manager and Schema Builder. The next step is to use your most experienced Salesforce Developers and Architect to deliver a simple to use and well-documented process to delete or irreversibly anonymise data.
If your company is not using only Salesforce to manage personal data, you should consider the usage of the Master Data Management System to store personal information. If a person wants to be forgotten, you should not store data in any system in your company. But what about when a person wants to export all their personal data from all systems. It can be very time-consuming, but you must prepare this export to comply with GDPR law. Usage of MDM solutions in Salesforce can be simplified to the configuration of Salesforce Connect.
A person has the right to adjust their data. You can do it by preparing some manual process or leveraging the usage of Salesforce ExperienceCloud (previously Community Cloud). The cost of this solution can be higher, but your company will not only be GDPR compliant, but also your customer will update their data by themselves. If you want a button to “start to forget me” or export data processes, this is also the place. Community-based on Salesforce brings a lot of other values like improved brand awareness and customer loyalty which can enable new selling channels. There’s also a space for improving time to market, thanks to the ease of configuration and management.
Every GDPR request should be stored and contain this request’s status. If some automation fails, your developers or support team can retry requests using this data. Make sure to monitor this data. You can use custom objects in addition to scheduled reports for that.

PRO-TIPS:

PRO-TIP 1: Encrypting data instead of deleting it is not the right way. Anonymisation should be irreversible from the perspective of the right to be forgotten.
PRO-TIP 2: Automatisation should be prepared for at least the Forget Me process. You can leverage Service Oriented Architecture or Master Data Management solutions to get information about a person who wants to be forgotten by another system in your company
PRO-TIP 3: Exporting all personal data can be very challenging. Make sure you are prepared for this request, even if it is very rare for people to want that.