Data protection has raised many questions for businesses, not least with uncertainty over how Brexit would affect the EU General Data Protection Regulation (GPDR). But when the COVID-19 pandemic hit, focus suddenly shifted away from business-critical areas such as GDPR as the healthcare industry scrambled to deal with the massive health crisis. While the emphasis on COVID-19 is appropriate, GDPR – whether the EU GDPR or what has become known as the UK GDPR - remains crucially important, and failure to manage it appropriately can land your business in hot water.
GDPR is one of those black clouds that large consultancies – such as market access and health economics consultancies – confront when they take on market research projects that require interview-based research with doctors and payers. Typically, market research is an add-on to a large project and not an area these consultancies are familiar with, so they are already on the back foot. Add in the thorny issue of data protection and they find they also have to worry about potentially raising red flags with the regulators. Over the past few years, Gatehouse ICS has gained deeper knowledge of and experience with what is and isn’t permitted under GDPR, which has given us confidence with our approach to interview-based market research.
First, the GDPR does not prevent market researchers from collecting relevant data of clinicians and payers, as long as over-arching criteria are met: you must define the purpose for collecting personal data, you must state where and how you will store that data and you must say how long you will store the data for. Questions for those inexperienced with the GDPR include, what is meant by personal data, what is meant by data storage and what are the implications of not following the correct protocol?
Doing the right thing in LinkedIn
To the casual user, data on LinkedIn might appear to be in the public forum, so what’s the harm in identifying a clinician or payer from their job title? There’s a nuance here that might not be well-understood, which is if you take that person’s name and job title from LinkedIn and put it on a spreadsheet, that is still considered personal data, even though there is no contact information.
The reason this matters is that under the GDPR, you have a right to be forgotten. So, if those clinicians take themselves off LinkedIn but still exist on a spreadsheet somewhere, that right has been taken from them. And if that spreadsheet is shared, then it exists in multiple places and is no longer private. It’s therefore important to consider the reason for keeping the data and for how long that information will be stored on a spreadsheet.
In the course of conducting clinician and payer research, we start by identifying people on LinkedIn and reach out to them through that forum. That outreach is acceptable within the GDPR guidelines since it is done within the LinkedIn platform and data hasn’t been removed. We establish in that communication that we would like to invite that expert to participate in interview-based research and that there will be an honorarium available. Those who respond are treated differently to those who don’t because we have connected with them.
For those who don’t respond, we determine how long it is reasonable to keep them on the Gatehouse ICS spreadsheet, and we do so based on a valid GDPR reason for retaining that data: legitimate interest. We can reasonably show that for a certain amount of time there is assumed legitimate interest in us reaching out to them, but we need to define how long is reasonable to retain that data. Our policy states that six months is reasonable, after which we remove them from our list. Again, at this point, we are not referring to contact information, merely name, title and place of work.
For those who do respond and provide some further contact details, regardless of whether they participate in the study we put to them, we ask whether we can keep their details on file for future market research. It is important to specify that this data will not be used for any other purpose. We also define what we mean by “on file”, which for us means in a secure folder with limited access on our shared drive and password protected. To build and retain goodwill with these experts, we check each year to make sure they are happy to stay on the list.
Through this mechanism, we have developed an expansive and ever-growing pool of people for interview-based market research, but also a GDPR-compliant way to reach out and recruit clinicians and payers. This has meant we can often get access to those hard-to-reach, hard-to-identify niche profiles quickly and compliantly.
Experience in recent years has shown us just how important those hard-to-reach physicians and payers are. First, innovative medicine increasingly targets smaller patient groups – whether for a sub-group of patients with a chronic disease or for those with rare diseases. Second, market expansion means companies need to incorporate the expertise of specialist clinicians in less mainstream countries, for example, Croatia and Poland. These are the kinds of experiences we have had with clients. Our platform of around 12,000 first-degree contacts and the opportunity this affords to identify relevant people from our contacts and their contacts (our second- and third-degree contacts) allows us to respond to those needs quickly, effectively and in compliance with GDPR.