Bayer’s US-based data privacy manager Catalina Morales says that, with regulators increasingly clamping down on pharmaceutical companies, abiding by the law while not restricting commercial activity is a challenge.
Leaders League. Describe your typical day?
Catalina Morales. Maintaining and keeping data processing activities up to date. If any process changes, we have a tool we use to update our records. If it’s a new digital system/application request, we have other risk-analysis systems, and our IT people need to go through various stages before the application can be accepted and go live, such as a data privacy stage where they involve the data privacy managers so we can check whatever’s necessary for that application.
So basically, sitting down with the business leaders to discuss their needs and the data privacy angle of any new process they want to engage in. I perform a lot of onboarding and continuous data privacy training, for new employees, suppliers or current employees, from all areas, levels and divisions within the company.
There’s also a lot of checking if we need to modify or update existing local consent forms, statements and policies. I coordinate with our global data privacy headquarters when any new requirement needs to be implemented in the region, or any changes need to be reviewed from our local perspective. I also process any data subject requests, and any breach incidents or data losses that occur in our region. And since I’m a more general legal counsel beyond data privacy, I handle commercial contracts and corporate topics that may include labor law-related matters.
How has the data privacy team at Bayer changed its approach to its work post-GDPR?
The GDPR greatly helped to consolidate the global data privacy team. We had a data privacy team before, of course, but our importance in relation to the business divisions has increased. Now, the business helps us, as part of their day-to-day activities, to ensure our activities are data privacy-compliant.
The GDPR changed our structures, too. Before, we didn’t even have a formal RoPA [Record of Processing Activities]. Each country could have had its own processes identified locally, if it had a record at all. The GDPR made the company take a more serious approach, where each country now must have its own RoPA within our digital tool, harmonizable worldwide, so we had to roll out that tool accordingly. It made the whole thing more orderly, and gave us more control over the actual processing activities that collect personal data within the company as a whole.
Other than data being sacrosanct post-GDPR, have you observed any other interesting trends or developments in pharmaceutical data privacy?
Besides the GDPR and the CCPA [California Consumer Privacy Act, 2018], there’s also the HIPAA [Health Insurance Portability and Accountability Act, 1996], which affects us because we use so much clinical information. We also have a lot of local legislation, such as in Central America, which relate to clinical trials. We need to keep on top of all of these. Every day, regulators are getting stricter and stricter; we need to be able to work around that, understanding their requirements and abiding by the law while not [hamstringing] pharmaceutical companies. Currently, the regulations are very strict but aren’t prohibiting our business at all.
Data is driving much of the profit of the healthcare sector, particularly in AI, yet it must be protected. How do you balance the imperatives of innovation, profit and data privacy?
It’s not that we don’t use data, but most of the data we use is aggregated. We try to anonymize, or even unidentify, the data. Even in clinical trials, we unidentify the subjects for reasons far simpler than AI – partly just to see how the data works. That provides us with new insights. When creating new products, we do our utmost with aggregated data.
There’s always going to be a part of the business that says, “I want to have more information, I want to identify the subjects.” And that’s where we come in: we sit them down, ask if it’s really necessary, and ask what purpose justifies them having this personal data. Still, using aggregated data isn’t always possible. In those cases, we need to mitigate the risk and implement data privacy measures. That’s why I love data privacy – it’s never black and white. There’s always a gray area, and we need to proceed on a case-by-case basis.
In 2018, Bayer was targeted by a cyberattack that probably came from China. Fortunately, no data were stolen, but how has Bayer been strengthening its immunity to third-party attacks?
We have a big cybersecurity department now, especially since the merger with Monsanto. We’re gaining more insights all the time. Every day, hackers implement new ways of attacking us; we always need to be on top of that. We do have a great internal system, if not within data privacy then within IT more widely. From a global perspective, our data privacy team does have involvement in cybersecurity measures; they belong to a kind of steering committee that keeps us informed weekly of any situation and any risks we need to consider.
Naturally, if an incident happens, we don’t wait for the weekly meeting – we have internal protocols to follow! Of course, we could never rule out another incident, but we’re more prepared than in previous years.
‘‘The current regulations are very strict – but aren’t prohibiting our business at all’’
Other than clinical trials and AI, in what other areas of healthcare does Bayer need to be especially careful around data?
Patient support programmes, where we explain to patients directly how to ingest or inject their medicine, or what side effects might be induced. We do have sensitive patient-related healthcare data there, such as what medicines they’ve taken previously. From a global perspective, this is one of the biggest things that makes Bayer well-known at local level – we have these fairly hands-on programmes that help locals who aren’t necessarily well versed in how to use the medicine. It does require some collection of data, so we know what and whom we’re treating. What we do with the data depends on our purpose at that time: we might store them and keep them for future reference, or if it’s for reporting we aggregate them.
Have you become more reliant on technology to mitigate data breach risk?
We have been more reliant on it: technology can bring standardization across the company. But yes, it also brings risk. We do strong due diligence on the suppliers and venders of our technology; we also develop internal applications where possible, for which we take the requisite technical and organizational measures to cover any security risk. But we need to be on top of digitalization, because that’s where the world is going. And we like that! Data protection is a very digital topic. So to be secure, we need to tackle risk from the beginning: from IT and procurement to targeted training on how to identify good suppliers and check their security measures, seeing if they’re from EU-whitelisted countries and so on.
In terms of streamlining procedures, do you have any tips for other pharmaceutical data privacy counsel?
SOPs – standard operating procedures – will be your basic day-to-day work. Everyone in the data privacy team needs to know what they can and cannot do. They’re the ones that’ll be replicating the right measures and processes, so there needs to be standardization there. Every country has its specifics, which is why, when we roll out our standard procedures, we allow local modifications if it’s a regulatory requirement on their end. So if your local law is stricter than our policy, you can deviate a little. Yet, if local law isn’t that strict, you need to abide by the Bayer policy as a minimum.