EU is second largest destination for pharmaceutical exports constituting about 12 percent of total Indian pharmaceutical exports of USD 17.27 billion in 2017-18
May 30, 2018:European Union General Data Protection Regulation (EUGDPR) on May 25, Indian drug makers who operate from any of the 28 EU countries are scrambling to familiarize themselves with the law to ensure compliance.
GDPR requires companies to gain affirmative consent for any data collected from people who reside in the EU. Organizations that violate the law could face fines up to 4 percent of their global annual revenue or 20 million euros — whichever is higher.
EU is second largest destination for pharmaceutical exports, constituting about 12 percent of total Indian pharmaceutical exports of USD 17.27 billion in 2017-18.
In addition to exports, Indian drugmakers conduct clinical trials in Europe for their complex and biosimilar drugs, while many Indian contract research and IT services companies work on projects outsourced by Europe’s drug and insurance companies. Over several years, Indian companies such as Aurobindo Pharma, Dr Reddy’s and Intas have bought European drugmakers to expand in that market.
Drugmaker Dr Reddy's said it sees applicability of EU guidelines on data protection beyond its European operations and help in standardizing the processing and protection of personal data across the enterprise.
“GDPR has now provided an excellent opportunity to allow convergence of several management systems, such as information protection, cyber security, privacy, regulatory compliance, legal in order to create a holistic framework which will help in standardizing the processing and protection of personal data across the enterprise,” the company said in an email statement.
“We are confident that the entire process will facilitate even higher levels of governance in areas such as 3rd party vendor arrangements, supply chain, HR processes etc,” it added.
Dr Reddy’s expressed confidence about complying with EUGDPR.
Cipla said it will be able to comply with the EUGDPR guidelines as it's presence in Europe is largely through its partners.
"We have not more than 20-25 employees in Europe. Our presence in Europe is largely through business-to-business (B2B) partnerships. Since we do not have a large ground presence, it's quite manageable," said Kedar Upadhye, Global CFO of Cipla.
“Lots of companies are in a last minute scramble to at least comply with minimum requirements of EUGDPR like taking consent, putting notices on the website etc,” said Jaspreet Singh, Partner,Cyber Security at EY.
Singh says for a medium-sized organisation, it takes around 4-6 months to comply with EUGDPR as they have to rewrite contracts to ensure GDPR compliance.
“Pharmaceutical companies engaged in collecting and researching EU patient data for bringing therapies to market need to fully understand the implications of the law and take adequate steps to ensure compliance with the law. The impact of non-compliance is tremendous, especially when it comes to R&D and healthcare data,” said Ram Yeleswarapu, President and Chief Executive Officer, TAKE Solutions.
“As a company focused on clinical research and drug development, we have done an internal assessment and ensured compliance,” Yeleswarapu said.
Analysts say the key challenge for Indian companies include weak privacy laws in India and lack of awareness about global requirements. They also warn that in the days ahead, EUGDPR compliance becomes important in getting market access to Europe.
“As companies aspire to become global players, it is important that they become aware of the changing regulatory landscape across geographies and ensure adequate investments in systems and processes for adherence and compliance,” Yeleswarapu added.
President and Chief Executive Officer,