The GDPR (General Data Protection Regulation), relating to the processing of personal data, is now applicable in all Member States. Here’s how we adjusted.

The EU Regulation 2016/679, known as GDPR (General Data Protection Regulation), relating to the protection of individuals with regard to the processing and free circulation of personal data, is now applicable in all Member States.
The real novelty consists in the establishment of the principle of accountability, i.e. the responsibility of data owners and managers, which is based on two fundamental concepts: Privacy by Design and Privacy by Default. With the first principle, data protection measures must be planned starting from the design of business processes; with the second, the aim is to establish the ability to design security and privacy measures as a prerequisite for the normal functioning of corporate information systems.

As Responsible for the processing of particular data on behalf of numerous pharmaceutical companies and service companies operating in the pharmaceutical sector, for which we provide the service in SaaS (Software as a Service), we have implemented these concepts in our business processes, planning and completing a series of actions aimed at giving a solid and effective response to the issue of data protection.

Following an in-depth risk analysis carried out in recent months, we have adopted various measures which have led to a general improvement in access control and data protection, more effective prevention of theft or violation and a higher transparency towards the owners of the same.

In particular, we proceeded to:

• strengthen system access credentials
• deny access to SaaS pharmacovigilance systems to anyone who does not have a Named Access Certificate, issued and installed on their personal computer by us
• improve the database encryption method
• increase the protection of the Disaster Recovery system to ensure a copy of the data is immune to cyber attacks that occurred on the primary site
• equip ourselves with autonomous tools to periodically evaluate, through Penetration Tests, the degree of security of the system and adjust it by applying the Reparation Plan deriving from it
• strengthen the IT infrastructure access monitoring system that supports the SaaS, activating a more efficient and effective alarm system and providing reports that prove the protection of personal data and transparency on their management

Increasing awareness of the staff dedicated to assistance and maintenance on the subject of privacy
These are just some of the technical and organizational measures implemented for GDPR compliance, which will be constantly checked, monitored and updated.

Fulvio Toscano
Quality Manager