article

European Pharmaceutical Review: Our 5 Steps to GDPR Compliance

The General Data Protection Regulation (GDPR) is a new set of EU rules governing how a company manages, protects and administers personal data. Whether you are a subscriber, author, advertiser or supplier to our journal, we may hold information about you and we need to keep it private and secure.

Padlock graphicThe team at European Pharmaceutical Review has spent nearly a year getting ready for GDPR. We take data protection seriously, which is why we have prepared this document to share the 5 key steps we decided to take to ensure we are GDPR compliant now and in the future.

Our 5 Steps to GDPR

Step 1. Awareness

In early 2017, key members of our data and marketing teams attended industry conferences and training sessions with speakers from leading organisations such as the Information Commissioner’s Office and Direct Marketing Association, to assess the new legal obligations and to understand any impacts on how European Pharmaceutical Review conducts its business.

Over several months we then drew up a plan of action. This included internal workshops across all departments at European Pharmaceutical Review, so that every member of the team, whether they work in Sales, Marketing, Editorial, Events, Accounts or Senior Management, was made fully aware of the new legislation.

Together, we discussed how we all play a part in protecting our readers, suppliers and advertisers personal data.

Data protection and GDPR is something every member of staff should be aware of.

Step 2. Audit + Clarity

Tim Martin, Head of Data

Tim Martin, Head of Data

A vital start to our journey to GDPR compliance was conducting a rigorous data audit, ensuring we had traceability for all our records (see Consent & Legitimate Interest Step 5 below). You can only move forward with GDPR by looking back at your data’s past to understand what you are currently managing.

It was a painstaking process for our Head of Data (and new GDPR Compliance Officer) Tim Martin and his team, but they identified all the personal data we currently hold and went through record-by-record, deleting anything which was not compliant.

As luck would have it, Russell Publishing, the publishers of European Pharmaceutical Review, had also invested in a completely new Customer Relationship Management (CRM) database, which meant most of our auditing had already started, so the two projects could run side-by-side. The new CRM also features ‘Contact Preference Centres’ allowing anyone we email to change their preferences easily and securely.

Rolled in with the Audit was a root-and-branch review of our Terms and Conditions and Privacy Policy. It was no surprise to find that over the course of time, both of these pages had become littered with legal jargon. We felt they needed improving to meet GDPR guidelines on clarity. If you click to view them now, we hope you agree they are much easier to read and that they give our users a clearer idea of how we use and protect their data.

Know your data, and know where it came from – only then can you be GDPR compliant.

Step 3. Communication

We conducted the groundwork, we assessed best practice and we also cleaned our data. Now we needed to communicate our new policies to our audience.

Our marketing team prepared a number of short, simple messages, and sent them to our audience in advance of the 25 May deadline, explaining our approach to GDPR and notifying everyone of our new terms and conditions and privacy policies.

 

EPR GDPR email

We also decided to prepare this document (the one you are reading now) as another way to communicate to our audience – and we hope you are finding it informative and reassuring.

Tell your contacts, be open, be clear.

GDPR processes

Step 4. Process

An essential part of GDPR compliance, and Step 4 of our action plan, was to check our data procedures, to ensure they cover all the rights individuals have. This included establishing a clear process for deleting personal data and to enable ‘Subject Access Requests (SAR)’ from anyone appearing in our database. Under GDPR, data subjects have the right to request:

  • Confirmation that their data is being processed by us (i.e. we have a record on our database with their details, and we have a clear source)
  • Access to their personal data
  • Other supplementary information (which should correspond to the information outlined in our privacy policy and terms and conditions)  

European Pharmaceutical Review now has a process in place for any SARs, which includes the following vital criteria in order to meet GDPR guidelines:

  • Any information requested must be given free of charge
  • Any information requested must be provided without delay and within a month
  • Data subjects can make requests easily, including electronically

 

Respect every individual’s data rights and establish a process for Subject Access Requests and deletion.

Step 5. Consent & Legitimate Interest

Article 6 of the GDPR sets out six lawful bases for processing personal data:          

  1. Consent: the individual has given clear consent to process their personal data for a specific purpose.
  2. Contract: the processing is necessary for a contract with the individual, or because they have asked to take specific steps before entering into a contract.
  3. Legal obligation: the processing is necessary to comply with the law (not including contractual obligations).
  4. Vital interests: the processing is necessary to protect someone’s life.
  5. Public task: the processing is necessary to perform a task in the public interest or for official functions, and the task or function has a clear basis in law.
  6. Legitimate interests: the processing is necessary for legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

The final, and some would say most important step European Pharmaceutical Review decided to take, was to confirm our approach to data acquisition and future marketing. We value our readers enough to know that when they give consent to subscribe to our journal, they trust us with their data. Equally, we value our wider audience enough to know that relevance and targeted marketing is the way forward – gone are the days of buying in poor quality lists or followers.

GDPR has been an opportunity for our brand to reaffirm what has always been our approach to growing our readership, namely, that we will continue focus on organic growth, with both consent and legitimate interest the primary (but not exclusive) methods for us holding personal data.

GDPR compliance

We based this on published guidelines from the Information Commissioner’s Office which states:

“You should consider which lawful basis best fits the circumstances. You might consider that more than one basis applies, in which case you should identify and document all of them from the start.

You must not adopt a one-size-fits-all approach. No one basis should be seen as always better, safer or more important than the others, and there is no hierarchy in the order of the list in the GDPR.”

Consent

EPR consent

European Pharmaceutical Review will never sell or pass a contact’s data to any third party without their express permission. When a user completes our simple subscription form or downloads any materials from the site they must opt in to be contacted by the third party.

Legitimate Interest

European Pharmaceutical Review uses three elements to assess a contact’s legitimate interest in our content:

  • Does the contact have a legitimate interest?
  • Do we need to process the data to achieve it?
  • How do we balance it against the individual’s interests, rights and freedoms?

In compliance with Step 4 above, anyone making a Subject Access Request will be informed by us of where we sourced their data, what data we hold, and why we hold it. Our preferences centre and easy unsubscribe enables our audience to control communications from us and should they choose to be deleted, our processes will allow us to do so quickly and compliantly.

Establish the lawful basis for holding any personal data and keep full traceability in your database.

GDPR Compliance = Peace of mind for our Readers and Advertisers

By taking the 5 Steps above to achieve GDPR compliance, European Pharmaceutical Review will continue to deliver great content that is relevant to our readers. We like making connections and helping people to discover new solutions as well as to learn and hear about the latest developments from all areas of the industry.

European Pharmaceutical Review’s purpose is to act as a voice for the industry, and we feel strongly that our advertisers also have something of value and interest to say to our readers. Many of our advertisers are just as forward thinking as we are, and with GDPR in place, they wouldn’t work with us if we didn’t meet these high standards.

View our Media Planner

 

If you would like to know about our advertising opportunities and the peace of mind our GDPR compliant media channels can offer your business, please contact [email protected]

About us

European Pharmaceutical Review is one of the leading sources of news, analysis, products, services and research communities in the industry. We publish content every day on our website, or as digital documents in a range of easy-to use formats, such as PDFs and graphics, or as high-quality print periodicals.