Key data transfer-related takeaways from this Pharma forum 2021 session include:
-Data transfers beyond the EEA require legal adequacy measures (adequacy decision (which include EU to UK transfers) or standard contractual clauses and supplemental assessments and measures) in place before they can be undertaken.
-The CJEU decision in Schrems II invalidated Privacy Shield, however, Standard Contractual Clauses (SCCs) can remain a valid transfer mechanism when used alongside transfer impact assessments and appropriate supplemental safeguards (where required). Different regulators have adopted different approaches to what constitutes appropriate assessments and safeguards following Schrems II.
-New EC SCCs are modular in format: C2C, C2P, P2P and P2C; there is no additional processor agreement required for C2P and P2P (unless some processing takes place in the EEA). The SCCs offer multi-party possibilities for both data importers and exporters, and the choice of law and jurisdiction within the EU. The ICO is expected to publish UK SCCs later this summer.
-The new EC SCCs include clauses relevant to the law enforcement access concerns central to Schrems II, including that: parties warrant the level of protection in the third country, transparency/information obligations, obligations relevant to official requests for disclosure, and documentation obligations.
-Your next steps should be to start planning and data mapping your transfers, identify the correct SCC modules to use, kick off transfer impact assessment process, and document and constantly re-evaluate the measures you’ve undertaken.
Key AI regulation-related takeaways include:
-AI regulation impacts the entire life cycle of an AI-driven product or system and sits alongside the GDPR. It applies to software, specified techniques and approaches, machine learning/logic/stats-based approaches, and generated outputs.
-AI’s potential impact on life sciences is evident in the rise of high-risk AI systems. Looking more broadly, you can see its effect in recent developments in medical devices regulation, and in the huge role AI plays in today’s pharmaceuticals industry.
-The new AI regulation framework prohibits practices (dark patterns, micro-targeting) not systems. It breaks AI systems into “high risk” and “low risk” categories. High risk systems are broken down further by classification model and come with a new set of control requirements.
-Enforcement is handled by the European AI Board and National Competent Authorities and involves governance disclosure. Non-compliance carries financial penalties of up to 6% of global annual turnover.
Key cybersecurity risk takeaways include:
-Key cybersecurity threat points to consider are the vendor eco-system, ransomware, phishing attacks, the Internet of Things (IoT), state-sponsored attacks, and employees and insider threats.
-The best defence is preparation. Tools and techniques include data audits, accountability, security frameworks, proper regulator engagement, IT forensics, and understanding how insider threats develop and play out.
-The stakes are high! Potential consequences of cyberattacks include reputation damage and costly group litigation claims.
