compliance is mandatory. complexity is not. - cbinet.com1).pdf · compliance is mandatory....
TRANSCRIPT
1
Compliance Is Mandatory.
Complexity Is Not.™
Improving Global Compliance for the Life Science Industry
2Confidential — Do not distribute
medispend.com
Building the Next Generation Global
Transparency Program
A Case Based Roadmap to Improve Compliance –Gain Efficiencies – Demonstrate Value
14th Annual PCC 2017 CBI’s Pharmaceutical Compliance CongressApril 26 – 28, 2017The Ritz Carlton – Washington - DC
3Confidential — Do not distribute
Agenda
Understand upstream compliance drivers
Cloud-first technology
Case Based Roadmap
Complex global enterprise moves from legacy to cloud
Evolving pharma company builds cloud compliance program
4Confidential — Do not distribute
Upstream Compliance Drivers
Proliferation of global transparency reporting
Enterprise systems moving to the cloud
Data collection and processing automation
Availability of off-the-shelf (OTS) analytics and BI tools
Rapidly changing environment regarding data privacy
2009 2010 20182008
Confidential – Do not distribute 5
USReporting
Transparency Laws Proliferate Globally
2011 2012 2013 2014 2015 2016 2017
OUSReporting
6Confidential — Do not distribute
Laws & Codes Global Reporting Requirements
Law Code EFPIA
MedTech Europe
EUCOMED
Country Association
provides platform for
Manufacturer to submit
disclosure data
Governmental Body provides
central platform for
Manufacturer to submit
disclosures
Country Association
provides page with links to disclosures posted by
Manufacturer
Manufacturer posts disclosures
on Manufacturer's
website 1 Australia 1 1 12 Austria 1 13 Belgium 1 1 14 Bulgaria 1 1 15 Croatia 1 16 Cyprus 1 1
7Czech Republic 1 1
8 Denmark 1 1 19 Estonia 1 1 1
10 Finland 1 111 France 1 1 112 Germany 1 1
7Confidential — Do not distribute
Law Code EFPIA
MedTech Europe
EUCOMED
Country Association
provides platform for Manufacturer
to submit disclosure data
Governmental Body provides
central platform for Manufacturer to
submit disclosures
Country Association
provides page with links to
disclosures posted by Manufacturer
Manufacturer posts disclosures
on Manufacturer'swebsite
13 Greece 1 1 1
14 Hungary 1 115 Iceland 1 116 Ireland 1 117 Italy 1 118 Japan 1 1 1 1
19 Latvia 1 120 Lithuania 1 121 Luxembourg 1 1
22 Malta 1 123 Netherlands 1 1 124 Norway 1 1
25 Poland 1 126 Portugal 1 1 127 Romania 1 1 1
8Confidential — Do not distribute
Law Code EFPIA
MedTech Europe
EUCOMED
Country Association provides platform
for Manufacturer to submit disclosure
data
Governmental Body provides central
platform for Manufacturer to
submit disclosures
Country Association provides page with links to disclosures
posted by Manufacturer
Manufacturer posts disclosures on
Manufacturer'swebsite
27 Romania 1 1 128 Russia 129 Serbia 1 130 Slovakia 1 1 131 Slovenia 1 1
32 Spain 1 133 Sweden 1 134 Switzerland 1 135 Turkey 1 136 UK 1 1 137 Ukraine 138 US Federal 1 1
39US States -Pharma* 4
40 Saudia Arabia41 Scotland42 South Korea43 Chile
9Confidential — Do not distribute
United States Transparency & Aggregate Spend Laws
Pharma* Law
Manufacturer emails disclosure to
State governing body
State provides central platform for
Manufacturer to submit disclosures
US Open Payments 1
US - Connecticut 1
US - Washington, DC 1 1
US - Massachusetts 1 1
US - Minnesota 1 1
US - Vermont 1 1
43 Countries with transparency laws or codes…but wait
10Confidential — Do not distribute
Saudi Arabia’s FDA released a first draft initiative for transparency reporting by pharmaceutical companies
Scotland is rumored to be working toward enacting legislation with transparency reporting requirements
South Korea is moving forward with amending the KRPIA Code of Conduct to include transparency reporting requirements
EFPIA is adding a self-certification requirement to accompany disclosure
MedTech is adding transparency requirements and a ban of direct sponsorships to its Code of Ethics
EGA (European Generic and biosimilar medicines Association) adopted a Disclosure Code for the generic, biosimilar and value added medicines industry
On the horizon
12 Confidential — Do not distribute
Chief Compliance Officer (CCO), 11%
Data Privacy Officer (DPO), 39%
General Counsel (GC), 11%
Yet to be determined, 39%
Who is responsible for GDPR in your organization today?
13Confidential — Do not distribute
This is the first I’ve heard about GDPR.
31%
We are almost GDPR compliant.
6%
We are conducting our assessment and/or
seeking help.25%
We’ve completed our readiness assessment and
in process.…
Where is your company on the GDPR readiness scale?
17Confidential — Do not distribute
GDPR - Introduction
The GDPR is intended to harmonize data protection law across the EU and replaces the EU Data Directive
Entered into force on May 24, 2016. GDPR enforcement date is May 25, 2018. Life science companies have a limited window to ensure that data processing activities are GDPR compliant
Organizations effected – all organizations in the EU & organizations outside the EU that –
Offer goods or services to EU data subjects
Monitor the behavior of EU data subjects
18Confidential — Do not distribute
General Requirements of GDPR
GDPR Requirements How to Comply?
Processing must be “fair and lawful”
Fair - give data subjects clear and transparent notice of the ways in which, and purposes for which, their personal data will be processed Lawful - comply with the GDPR and other laws
Have the Data Protection Principles beensatisfied?
Ensure that processing activities comply with all Data Protection Principles (e.g., purpose limitation; principle of data minimization; data retention; data security obligations)
Is there a lawful basis for processing "regular"personal data?
Satisfy at least one lawful basis for the processing of"regular" personal data in respect of each processing activity –Consent; legitimate interests; contractual necessity; compliance with legal obligations
Lawful data transfer mechanism for cross-border
Statutory permission; Model Clauses; Binding Corporate Rules; the transfer is made to an Adequate Jurisdiction
19Confidential — Do not distribute
Risk Areas AnalysisHigh Risk Medium Risk Low Risk
Large scale processing of personal sensitive data(e.g. Clinical Trial data)
Large scale processing of personal data (CRM, transparency reporting, etc.)
Anonymized or psuedoanonymized data
Automated profiling activities, including tracking of users on company website
Processing personal data for vulnerable individuals (e.g. children in clinical trials).
Consider steps to reduce the risk associated with processing data
20Confidential — Do not distribute
Scope of GDPR
The GDPR applies to the processing of personal data:
by automatic means (e.g., a computerized system or database); and
by other (non-automated means that form part of relevant filing system
The GDPR applies to natural an legal persons, public authorities, agencies and other bodies which process personal data
Exceptions apply for national security, personal processing, etc.
22Confidential — Do not distribute
Increase rights of individuals
All companies—including international firms—doing business with individuals located in EU member nation territory must comply with the law’s far-reaching provisions
All living EU individuals’ identifiable personal information—regardless of where it is sent, processed or stored— must be protected, and proof of protection must be verified
Data Subject
Controller
Processor
Who does the GDPR affect?
23Confidential — Do not distribute
Key DefinitionsTerm Definition
Personal data "Personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier.
Sensitivepersonal data
"Sensitive Personal Data" are personal data, revealing racial or ethnic origin . . . Data concerning health . . .genetic data or biometric data.
Anonymized data No individuals can be identified from the data (whether directly or indirectly) by any means or by any person. Anonymizing data is a technically complex task.
24Confidential — Do not distribute
Key Definitions, cont.Term Definition
Pseudonymous data
Sets of data are amended so that no individuals can be identified from those data (whether directly or indirectly) without a "key" that allows the data to be re-identified. (e.g. clinical trial data).
Consent "The consent of the data subject” means any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.
25Confidential — Do not distribute
Personal Data Processed for Lawful Purpose
Consent – Consent remains a valid purpose under the GDPR, but becomes significantly more difficult to obtain
Contractual Necessity - Processing is permitted if it is necessary for the entry into, or performance of, a contract with the data subject or in order to take steps at his or her request prior to the entry into a contract.
Compliance with legal obligations - Processing is permitted if it is necessary for compliance with a legal obligation.
26Confidential — Do not distribute
Consent as lawful basis for data processingConsent must be freely given
Relationship between processor and data subject
Performance of contract conditioned on consent to processing that is not required under contract?
Consent must specify exact purpose of processing – no blanket consent
Consent must be informed. Nature, identity and purpose in clear language
Any method acceptable – verbal, written, check-box, conduct (clear statement)
The controller must demonstrate that it has obtained valid consent
Prior to giving consent, the data subject must be informed of the right to withdraw consent. It must be as easy to withdraw consent as to give it.
GDPR, Rec.32, 43; Art.7(4), WP29, Opinion 15/2011)
27Confidential — Do not distribute
Implement technical and organizational security measures
Encryption – On-going security reviews – Redundancy/backup-Testing
Reporting of data breaches within 72 hours
“Data protection by design” and default for existing and new processes and systems
Responsibilities of Data Controllers
28 Confidential — Do not distribute
Understanding GDPR Readiness
Privacy by design challenges?
How would you build a system to handle privacy?
Where would you put the controls?
Do you replace systems or update them?
At what point are you asking for consent?
How do you manage the right to be forgotten?
e.g. what law do you break?
Reactionary Approach to Transparency Reporting
30
Disconnected workflows
Isolated enterprise systems
Lack of audit trail
Inability to centralize data
Lack customization of source systems
Disconnected applications
Cumbersome business systems
31Confidential — Do not distribute
Transparency Reporting ProblemBi-product from your commercial and R&D operations
Challenges with reporting:
Identifying reportable transactions
Identifying the correct Covered Recipient
Difficulties associated clinical trial data
31
32Confidential — Do not distribute
Streamline Work Flows and Data Capture
Needs AssessmentEstablish and document
legitimate business need for HCE engagement; written agreement; scope of work; fees; compliance
obligations and work product
Fair Market ValueRepository of pre-set rates
based on FMV analysis; ensure consistent FMV payments
across your global organization
HCE EngagementsCreate validate and manage
planned engagements against applicable
contracts/HCEs
Transparency ReportingMonitoring dashboards to provide
view into HCE engagement workflows, audit trail and alerts.
ContractsHealthcare Entity specific data capture
providing efficient contract and amendment tracking, consent, with advanced search and access controls
Activity ReportsControl and substantiate all
payments with full visibility to all payments and upstream ties helping
negate duplicate payments
HCE QualificationsCentralize and access HCE
qualification information, consent, data/files, tier and rate assignment,
cross-organization
33Confidential — Do not distribute
Tools to Transforming Business Processes
Application Program Interfaces (APIs)
Software-as-a-Service (SaaS) - Data-as-a-Service (DaaS) –Platform-as-a-Service (PaaS)
Cloud-first technology
Global Private Clouds and SaaS Apps and data storage
Managed Cloud Apps & Services
AI & Intelligent Apps
Self-service Analytics
34Confidential — Do not distribute
The Adoption of Cloud Computing
2016 IDG Enterprise Cloud Computing Survey
Cloud technology is becoming a staple as 70% of organizations have at least one application in the cloud.
56% of organizations are still identifying IT operations that are candidates for cloud hosting
Lowering total cost of ownership, replacing on premise legacy technology and enabling business continuity are the top business goals driving cloud investments.
35Confidential — Do not distribute
Cloud Tech Facilitates Global Compliance
Integration of enterprise systems with APIs and SaaS solutions
Easy to install and maintain – requires less FTEs
Promote communication, collaboration and transparency
Breaks down barriers, both internally—between departments or individual staff members
Transparency between the compliance team, commercial operations and the sales organization
Increases collaboration with colleagues through social tools and workflows
Five Trends Transforming Cloud Computing, Oracle
36
Case Study: Complex legacy systems
Lacked a single, stable, and fully functional HCP engagement and transparency reporting system.
Legacy SAP Ariba system very costly to maintain and the system is outdated.
Legacy SAP and Oracle system enhancements are very difficult due to a highly-customized systems.
Homegrown local country payment systems is lack functionality and with no interfaces or capability to track payments.
Ability to manage data privacy and consent across HCE’s and transactions
Extensive manual workarounds are in place to compensate for lack of investment in legacy systems.
Manual intervention is required to properly stage data for transparency reporting in the aggregate spend system.
38
Goal Result
Achieve operational efficiencies Replaced legacy systems• Two transparency systems• Ariba: all payments and grants processing• Two home grown payment systems
Mitigate risk Comply with multiple CIAs and DPAs
Drive enhancement to systems Reduced FTEs and consultant costsSaved time and compliance readiness
Improve workflows Simplified HCP engagement processIncreased transparency
Data collection and use Begin to utilize data to manage and monitor• Budget to actual expenses• Meet monitoring requirements • Providing insight to the business
39
How to build your next generation global transparency program Stakeholders
Gather stakeholders and conduct enterprise systems assessment. Define data flow gaps and manual processes.
CCO, CTO/CIO, DPOMarketing, Sales, Commercial
Go upstream to HCE engagement process and identify all source systems and manual processes.
Marketing, Commercial, R&DCTO, CCO
Analyze current costs to maintain legacy systems, consultant fees and software costs. Include FTE time to manually process and analyze data.
CFO, CTO/CIO, CCO
Modify business process work flows to ensure compliance control points are captured and monitored.
CCO, CFO, Commercial Teams
Select cloud-first technology systems and APIs that can integrate disparate systems to close the loop on work flow and data movement to ensure control points.
CTO/CIO, COO
Imbed data analysis tools throughout the entire work flow with permission based access to review real-time data for compliance monitoring and business analytics.
CCO, CTO/CIO, Business Teams
40 Confidential — Do not distribute
Thank you.
Timothy RobinsonGeneral Counsel & CKOMMIS | MediSpend+1 (603) [email protected]
Michaeline DaboulPresident & CEOMMIS | MediSpend+1 (603) [email protected]