Leo Sloesen is CFO at GCO. He is also lead consultant for the development of a new consultancy branch of the organization and as such has been very involved with the recently introduced GDPR (General Data Protection Regulation).
The introduction of the GDPR marks one of the biggest changes in privacy laws we have seen in decades, why do you think this was necessary?
I believe that privacy is extremely valuable, while undervalued by many. With the GDPR we have made significant improvements in the protection of Europeans, even when they venture outside of the European Union. I do however feel that improvements could have been made in how the GDPR was implemented. We don’t yet know how effective the GDPR will be and we don’t yet know how far these laws will extend. I believe that the framework proposed by the GDPR is excellent, but the penalties for non-compliance are severe by European standards. Large corporations have been given no choice but to take the GDPR seriously, but we also see that companies struggle with the interpretation of the GDPR legislation. An example can be seen in companies selling products online; They might ask their customers explicitly for consent to store their personal data while their personal data was already necessary to complete the purchase process. Companies might explicitly ask for permission to store personal data, but fail to offer the tools needed to view, edit or delete personal data when this is also required.
Is the Pharma and Life Sciences industry affected differently by the GDPR than other industries?
At first glance, no. Companies in the Pharma and Life Sciences industry often deal with even more sensitive personal information than companies in other industries, including patient records and clinical trial documentation. However, the handling of such information is usually out of scope in the services offered by GCO, as protocols for handling this type of information have long existed and already sufficed in terms of protecting people’s privacy. GDPR hasn’t changed that.
What do you consider to be the main hurdles for global companies in terms of compliance with the GDPR?
I believe that one of the main hurdles is that global companies sometimes believe that EU legislation doesn’t concern them. During a recent masterclass, I heard someone ask “Why would we, as Americans, concern ourselves with this?” The answer is that if you want to act globally you need to respect legislation globally, and you will be better off adhering to the most stringent regulations when it comes to privacy to prevent rifts, both internally and externally. If you adhere to the strictest regulations and apply those as if they were your own, you will ensure consistency. Outperforming local regulations is allowed, but breaching local regulations is not.
How can GCO help companies overcome these hurdles?
It is important for management to realize that corporate policy must be aligned with GDPR legislation. Because GCO is based in Europe and deals with GDPR daily, GCO is more than capable of helping clients implement the strict GDPR protocols. In additional, GCO is able to translate abstract regulation into tangible compliance measures for meetings and events, our area of expertise. Visitors of meetings and events want interaction, so an important question our clients face is how interaction can be facilitated while adhering to the necessary protocols.
Forbes published an interesting article about 15 unexpected consequences of GDPR, which included barriers for innovation as certain types of information could no longer be gathered for research purposes, or poorer service as a result of not being able to store and retrieve personal data. For me, one of the most striking unexpected consequences was the mention of restricted technology access for EU citizens. EU citizens could possibly be excluded from accessing innovative technology through apps or other data platforms when the (personal) data that is needed for it cannot be obtained. Reversely, this may mean smaller target audiences for companies outside the EU. It may even impact the way we develop websites in the future for international audiences. We will find out exactly how far this piece of legislation will go, when individual cases are dealt with in court.
Are you saying that the current legislation leaves room for interpretation?
Any new piece of legislation will only find its true interpretation in society when individual cases are taken to trial. Any elements that may now still be open to interpretation will eventually become common law, changing from something abstract into something more concrete.
What sets GCO apart from competitors in light of the GDPR?
Many companies offer GDPR related services, including the major consulting firms, often with a broad scope. GCO offers consultancy within the specific context of meetings and events in the Pharma and Life Sciences industry. This is especially useful when it comes to exceptions that are specific to Pharma and Life Sciences, such as open payments reporting. Because GCO is specialized in this field, GCO is not only able to give better advice but is able to help clients effectively implement any necessary changes.
Have you noticed any changes in the GCO organization with the introduction of the GDPR?
Of course the GDPR had resulted in changes, because the GDPR has introduced requirements that did not exist before. We have had to make some technical changes, but the impact was minimal as GCO already had stringent privacy and security measures in place before the GDPR was introduced. We did for example set up a process register so we can see where data is being stored and for what purpose. The GDPR forced us to really take a good look at our own policies. We even audited ourselves, both to test our newly developed GDPR compliance audit but also to make sure that we had not overlooked anything. GCO is already ISO 27001 certified, but we should always keep an eye out for new ways in which we can improve ourselves.