Issue: Our client, the leading vendor of medical communications and compliance solutions to the pharmaceutical industry, faced challenges in designing a data privacy and information security program to keep up with rapidly changing legal and customer requirements.  The client processes volumes of personally identifiable information for its customers and required new data privacy, information security, and security incident response policies dealing with administrative, technical (IT), and physical security requirements. Of particular significance, one division of the client was immediately embarking upon a project which would involve processing of EU personal data. The client faced a grave risk of non-compliance under both its contractual obligations and potentially Draconian penalties under numerous state data and EU breach response laws.

Challenge: Design a comprehensive data privacy program for the client based upon its and its customers’ business requirements. Understand what data is necessary versus, optional and assess the applicable laws and regulations based upon industry and types of data processed. Meld varying demands from numerous customers for different standards application and design a “reasonable” and appropriate framework, complying with all applicable laws and regulations; yet, still allowing our client to operate its core business without massively prohibitive policies and procedures. Create the EU Safe Harbor compliance necessary to allow the client’s business unit to embark upon the customer project in a large and distributed environment.

Result: We undertook a phased approach involving: (i) discovery; (ii) analysis; (iii) production and delivery of work product; (iv) implementation; and (v) maintenance. Understanding the client’s major need to launch an EU compliant program immediately, we segmented an operating division for logical and physical “sanitization,” and brought that unit, and ultimately the entire company, into compliance under the Department of Commerce’s EU/US Data Privacy Safe-Harbor.

Discovery: We discovered the data that our client would store and process and determined what standards applied (PCI, ISO 27001, HIPAA, GLB, State Data Breach Laws, EU data and cross-border flows, and otherwise).

Analysis: We assembled the key C-level executive staff including the CIO, CEO, and President-COO and imparted the urgency to address compliance and the risks associated with non-compliance. We developed a comprehensive information security policy, data privacy policy, and data security incident response policy meeting requirements under the EU/US Safe Harbor.

Production: We designed the policies, statements, procedures, plans, notices and consents, and certifications necessary for the same and worked with senior staff to train on the Principles under the Safe Harbor.

Implementation: We implemented the policies with the client, wrote the SOP’s for staff dealing directly with data subjects, and trained staff in the policies and procedures – creating a “culture-or-privacy” within the organization.

Maintenance: We subsequently helped our client translate its compliance program into a marketing initiative. We were, and are, engaged to help our client’s customers understand the privacy and information security essentials for the services performed by our client, and often help them receive additional business when their large pharma customers realize our client has the knowledge and experience at its disposal to efficiently comply with the information security requirements necessary.

We currently have one member of our staff provide ongoing compliance work with this client acting, in essence, as an “outside Chief Privacy Officer,” enabling the client to receive full data breach response management, training, and continuing compliance on the full range of data privacy and information security requirements without having the cost of a full-time CPO.