The EU Regulation 2016/679, known as GDPR (General Data Protection Regulation), concerning the protection of natural persons with regard to the processing and free circulation of personal data, is now applicable in all Member States.
The real news is the establishment of the accountability principle, that is the responsibility of the data controllers and data processors, which is based on two fundamental concepts: Privacy by Design and Privacy by Default. With the first principle, data protection measures must be planned starting from the planning of business processes; with the latter we want to establish the ability to design security and privacy measures as a prerequisite for the normal functioning of corporate information systems.
As personal data Processor, on behalf of numerous pharmaceutical companies and pharmaceutical services companies, to which we provide the SaaS (Software as a Service) mode, we have implemented these concepts in our business processes, planning and carrying out a series of actions aimed at providing a solid and effective response to the issue of data protection
Having carried out in recent months a thorough risk analysis, we have adopted various measures that have led to a general improvement in access control and data protection, to a more effective prevention of the violation or theft and to a higher transparency towards the controllers of the same.
In particular we proceeded to:
- Strengthen system access credentials
- Deny access to the SaaS pharmacovigilance systems to anyone who does not have a Registered Access Certificate, issued and installed on their personal computer by us
- Improve the database encryption method
- Increase the protection of the Disaster Recovery system to guarantee a copy of the data immune to the cyber attacks on the primary site
- Equip ourselves with autonomous tools to periodically evaluate, through Penetration Test, the degree of security of the system and adapt it by applying the Reparation Plan derived from it
- Strengthen the system for monitoring access to the IT infrastructure that supports SaaS, activating a more efficient and effective alarm system and providing reports that prove the protection of personal data and transparency on their management
- Increasing awareness of the staff dedicated to assistance and maintenance on the topic of Privacy
These are just some of the technical and organizational measures implemented for compliance with the GDPR, which will be constantly checked, monitored and updated.