compliance is mandatory. complexity is not. - cbinet.com1).pdf · compliance is mandatory....

1

Compliance Is Mandatory.

Complexity Is Not.™

Improving Global Compliance for the Life Science Industry

2Confidential — Do not distribute

medispend.com

Building the Next Generation Global

Transparency Program

A Case Based Roadmap to Improve Compliance –Gain Efficiencies – Demonstrate Value

14th Annual PCC 2017 CBI’s Pharmaceutical Compliance CongressApril 26 – 28, 2017The Ritz Carlton – Washington - DC


Agenda

Understand upstream compliance drivers

Cloud-first technology

Case Based Roadmap

Complex global enterprise moves from legacy to cloud

Evolving pharma company builds cloud compliance program


Upstream Compliance Drivers

Proliferation of global transparency reporting

Enterprise systems moving to the cloud

Data collection and processing automation

Availability of off-the-shelf (OTS) analytics and BI tools

Rapidly changing environment regarding data privacy

2009 2010 20182008

Confidential – Do not distribute 5

USReporting

Transparency Laws Proliferate Globally

2011 2012 2013 2014 2015 2016 2017

OUSReporting


Laws & Codes Global Reporting Requirements

Law Code EFPIA

MedTech Europe

EUCOMED

Country Association

provides platform for

Manufacturer to submit

disclosure data

Governmental Body provides

central platform for

Manufacturer to submit

disclosures

Country Association

provides page with links to disclosures posted by

Manufacturer

Manufacturer posts disclosures

on Manufacturer's

website 1 Australia 1 1 12 Austria 1 13 Belgium 1 1 14 Bulgaria 1 1 15 Croatia 1 16 Cyprus 1 1

7Czech Republic 1 1

8 Denmark 1 1 19 Estonia 1 1 1

10 Finland 1 111 France 1 1 112 Germany 1 1


Law Code EFPIA

MedTech Europe

EUCOMED

Country Association

provides platform for Manufacturer

to submit disclosure data

Governmental Body provides

central platform for Manufacturer to

submit disclosures

Country Association

provides page with links to

disclosures posted by Manufacturer

Manufacturer posts disclosures

on Manufacturer'swebsite

13 Greece 1 1 1

14 Hungary 1 115 Iceland 1 116 Ireland 1 117 Italy 1 118 Japan 1 1 1 1

19 Latvia 1 120 Lithuania 1 121 Luxembourg 1 1

22 Malta 1 123 Netherlands 1 1 124 Norway 1 1

25 Poland 1 126 Portugal 1 1 127 Romania 1 1 1


Law Code EFPIA

MedTech Europe

EUCOMED

Country Association provides platform

for Manufacturer to submit disclosure

data

Governmental Body provides central

platform for Manufacturer to

submit disclosures

Country Association provides page with links to disclosures

posted by Manufacturer

Manufacturer posts disclosures on

Manufacturer'swebsite

27 Romania 1 1 128 Russia 129 Serbia 1 130 Slovakia 1 1 131 Slovenia 1 1

32 Spain 1 133 Sweden 1 134 Switzerland 1 135 Turkey 1 136 UK 1 1 137 Ukraine 138 US Federal 1 1

39US States -Pharma* 4

40 Saudia Arabia41 Scotland42 South Korea43 Chile


United States Transparency & Aggregate Spend Laws

Pharma* Law

Manufacturer emails disclosure to

State governing body

State provides central platform for

Manufacturer to submit disclosures

US Open Payments 1

US - Connecticut 1

US - Washington, DC 1 1

US - Massachusetts 1 1

US - Minnesota 1 1

US - Vermont 1 1

43 Countries with transparency laws or codes…but wait


Saudi Arabia’s FDA released a first draft initiative for transparency reporting by pharmaceutical companies

Scotland is rumored to be working toward enacting legislation with transparency reporting requirements

South Korea is moving forward with amending the KRPIA Code of Conduct to include transparency reporting requirements

EFPIA is adding a self-certification requirement to accompany disclosure

MedTech is adding transparency requirements and a ban of direct sponsorships to its Code of Ethics

EGA (European Generic and biosimilar medicines Association) adopted a Disclosure Code for the generic, biosimilar and value added medicines industry

On the horizon


medispend.com

General Data Protection Regulation

(GDPR)

12 Confidential — Do not distribute

Chief Compliance Officer (CCO), 11%

Data Privacy Officer (DPO), 39%

General Counsel (GC), 11%

Yet to be determined, 39%

Who is responsible for GDPR in your organization today?


This is the first I’ve heard about GDPR.

31%

We are almost GDPR compliant.

6%

We are conducting our assessment and/or

seeking help.25%

We’ve completed our readiness assessment and

in process.…

Where is your company on the GDPR readiness scale?

April 14, 2016 – Approved by EU Parliament

May 25, 2018 – Enforcement Date

Wall Street Journal, April 13, 2017

Different Approaches to Privacy

16

United States Europe


GDPR - Introduction

The GDPR is intended to harmonize data protection law across the EU and replaces the EU Data Directive

Entered into force on May 24, 2016. GDPR enforcement date is May 25, 2018. Life science companies have a limited window to ensure that data processing activities are GDPR compliant

Organizations effected – all organizations in the EU & organizations outside the EU that –

Offer goods or services to EU data subjects

Monitor the behavior of EU data subjects


General Requirements of GDPR

GDPR Requirements How to Comply?

Processing must be “fair and lawful”

Fair - give data subjects clear and transparent notice of the ways in which, and purposes for which, their personal data will be processed Lawful - comply with the GDPR and other laws

Have the Data Protection Principles beensatisfied?

Ensure that processing activities comply with all Data Protection Principles (e.g., purpose limitation; principle of data minimization; data retention; data security obligations)

Is there a lawful basis for processing "regular"personal data?

Satisfy at least one lawful basis for the processing of"regular" personal data in respect of each processing activity –Consent; legitimate interests; contractual necessity; compliance with legal obligations

Lawful data transfer mechanism for cross-border

Statutory permission; Model Clauses; Binding Corporate Rules; the transfer is made to an Adequate Jurisdiction


Risk Areas AnalysisHigh Risk Medium Risk Low Risk

Large scale processing of personal sensitive data(e.g. Clinical Trial data)

Large scale processing of personal data (CRM, transparency reporting, etc.)

Anonymized or psuedoanonymized data

Automated profiling activities, including tracking of users on company website

Processing personal data for vulnerable individuals (e.g. children in clinical trials).

Consider steps to reduce the risk associated with processing data


Scope of GDPR

The GDPR applies to the processing of personal data:

by automatic means (e.g., a computerized system or database); and

by other (non-automated means that form part of relevant filing system

The GDPR applies to natural an legal persons, public authorities, agencies and other bodies which process personal data

Exceptions apply for national security, personal processing, etc.


GDPR – Is this More of the Same?


Increase rights of individuals

All companies—including international firms—doing business with individuals located in EU member nation territory must comply with the law’s far-reaching provisions

All living EU individuals’ identifiable personal information—regardless of where it is sent, processed or stored— must be protected, and proof of protection must be verified

Data Subject

Controller

Processor

Who does the GDPR affect?


Key DefinitionsTerm Definition

Personal data "Personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier.

Sensitivepersonal data

"Sensitive Personal Data" are personal data, revealing racial or ethnic origin . . . Data concerning health . . .genetic data or biometric data.

Anonymized data No individuals can be identified from the data (whether directly or indirectly) by any means or by any person. Anonymizing data is a technically complex task.


Key Definitions, cont.Term Definition

Pseudonymous data

Sets of data are amended so that no individuals can be identified from those data (whether directly or indirectly) without a "key" that allows the data to be re-identified. (e.g. clinical trial data).

Consent "The consent of the data subject” means any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.


Personal Data Processed for Lawful Purpose

Consent – Consent remains a valid purpose under the GDPR, but becomes significantly more difficult to obtain

Contractual Necessity - Processing is permitted if it is necessary for the entry into, or performance of, a contract with the data subject or in order to take steps at his or her request prior to the entry into a contract.

Compliance with legal obligations - Processing is permitted if it is necessary for compliance with a legal obligation.


Consent as lawful basis for data processingConsent must be freely given

Relationship between processor and data subject

Performance of contract conditioned on consent to processing that is not required under contract?

Consent must specify exact purpose of processing – no blanket consent

Consent must be informed. Nature, identity and purpose in clear language

Any method acceptable – verbal, written, check-box, conduct (clear statement)

The controller must demonstrate that it has obtained valid consent

Prior to giving consent, the data subject must be informed of the right to withdraw consent. It must be as easy to withdraw consent as to give it.

GDPR, Rec.32, 43; Art.7(4), WP29, Opinion 15/2011)


Implement technical and organizational security measures

Encryption – On-going security reviews – Redundancy/backup-Testing

Reporting of data breaches within 72 hours

“Data protection by design” and default for existing and new processes and systems

Responsibilities of Data Controllers


Understanding GDPR Readiness

Privacy by design challenges?

How would you build a system to handle privacy?

Where would you put the controls?

Do you replace systems or update them?

At what point are you asking for consent?

How do you manage the right to be forgotten?

e.g. what law do you break?


medispend.com

Moving Compliance to the Cloud

Reactionary Approach to Transparency Reporting

30

Disconnected workflows

Isolated enterprise systems

Lack of audit trail

Inability to centralize data

Lack customization of source systems

Disconnected applications

Cumbersome business systems


Transparency Reporting ProblemBi-product from your commercial and R&D operations

Challenges with reporting:

Identifying reportable transactions

Identifying the correct Covered Recipient

Difficulties associated clinical trial data

31


Streamline Work Flows and Data Capture

Needs AssessmentEstablish and document

legitimate business need for HCE engagement; written agreement; scope of work; fees; compliance

obligations and work product

Fair Market ValueRepository of pre-set rates

based on FMV analysis; ensure consistent FMV payments

across your global organization

HCE EngagementsCreate validate and manage

planned engagements against applicable

contracts/HCEs

Transparency ReportingMonitoring dashboards to provide

view into HCE engagement workflows, audit trail and alerts.

ContractsHealthcare Entity specific data capture

providing efficient contract and amendment tracking, consent, with advanced search and access controls

Activity ReportsControl and substantiate all

payments with full visibility to all payments and upstream ties helping

negate duplicate payments

HCE QualificationsCentralize and access HCE

qualification information, consent, data/files, tier and rate assignment,

cross-organization


Tools to Transforming Business Processes

Application Program Interfaces (APIs)

Software-as-a-Service (SaaS) - Data-as-a-Service (DaaS) –Platform-as-a-Service (PaaS)

Cloud-first technology

Global Private Clouds and SaaS Apps and data storage

Managed Cloud Apps & Services

AI & Intelligent Apps

Self-service Analytics


The Adoption of Cloud Computing

2016 IDG Enterprise Cloud Computing Survey

Cloud technology is becoming a staple as 70% of organizations have at least one application in the cloud.

56% of organizations are still identifying IT operations that are candidates for cloud hosting

Lowering total cost of ownership, replacing on premise legacy technology and enabling business continuity are the top business goals driving cloud investments.


Cloud Tech Facilitates Global Compliance

Integration of enterprise systems with APIs and SaaS solutions

Easy to install and maintain – requires less FTEs

Promote communication, collaboration and transparency

Breaks down barriers, both internally—between departments or individual staff members

Transparency between the compliance team, commercial operations and the sales organization

Increases collaboration with colleagues through social tools and workflows

Five Trends Transforming Cloud Computing, Oracle

36

Case Study: Complex legacy systems

Lacked a single, stable, and fully functional HCP engagement and transparency reporting system.

Legacy SAP Ariba system very costly to maintain and the system is outdated.

Legacy SAP and Oracle system enhancements are very difficult due to a highly-customized systems.

Homegrown local country payment systems is lack functionality and with no interfaces or capability to track payments.

Ability to manage data privacy and consent across HCE’s and transactions

Extensive manual workarounds are in place to compensate for lack of investment in legacy systems.

Manual intervention is required to properly stage data for transparency reporting in the aggregate spend system.


Compliance Cloud Solution

Upstream HCP Engagement

38

Goal Result

Achieve operational efficiencies Replaced legacy systems• Two transparency systems• Ariba: all payments and grants processing• Two home grown payment systems

Mitigate risk Comply with multiple CIAs and DPAs

Drive enhancement to systems Reduced FTEs and consultant costsSaved time and compliance readiness

Improve workflows Simplified HCP engagement processIncreased transparency

Data collection and use Begin to utilize data to manage and monitor• Budget to actual expenses• Meet monitoring requirements • Providing insight to the business

39

How to build your next generation global transparency program Stakeholders

Gather stakeholders and conduct enterprise systems assessment. Define data flow gaps and manual processes.

CCO, CTO/CIO, DPOMarketing, Sales, Commercial

Go upstream to HCE engagement process and identify all source systems and manual processes.

Marketing, Commercial, R&DCTO, CCO

Analyze current costs to maintain legacy systems, consultant fees and software costs. Include FTE time to manually process and analyze data.

CFO, CTO/CIO, CCO

Modify business process work flows to ensure compliance control points are captured and monitored.

CCO, CFO, Commercial Teams

Select cloud-first technology systems and APIs that can integrate disparate systems to close the loop on work flow and data movement to ensure control points.

CTO/CIO, COO

Imbed data analysis tools throughout the entire work flow with permission based access to review real-time data for compliance monitoring and business analytics.

CCO, CTO/CIO, Business Teams


Thank you.

Timothy RobinsonGeneral Counsel & CKOMMIS | MediSpend+1 (603) [email protected]

Michaeline DaboulPresident & CEOMMIS | MediSpend+1 (603) [email protected]

mailto:[email protected]

mailto:[email protected]

compliance is mandatory. complexity is not. - cbinet.com1).pdf · compliance is mandatory....

Documents