speaker’s bio - international association of privacy ...€¦ · establish a baseline of privacy...
TRANSCRIPT
SPEAKER’S BIO
Abhishek Agarwal, CIPP/US, Chief Privacy Officer at Baxter
International
Previously, Abhishek has gained experience working at fortune 100
companies such as Kraft Foods, JPMorgan Chase, HSBC, and E&Y
Consulting where he has worked on large Privacy, Information
Security & Risk initiatives like HIPAA, Safe Harbor, EU DPD
Compliance Programs, Global Data Transfers, Identity & Access
Management, Information Risk Assessments, Information Ownership
& Classification, and Vendor Governance and Management.
AGENDA
Overview of Medical Device Privacy Compliance
Key Privacy Compliance Considerations
An Operational Model – Pre & Post Launch
Case Study
Q&A
PRIVACY LAWS IMPACTING MED DEVICES
AT CROSSROADS OF TECH & STANDARDS
Cloud Computing
Mobile Computing
Wireless Technology
Virtualization
Apps online
Digital/
Connected Devices
PRODUCT LIFECYCLE & PRIVACY
Requirements
Technology Process
Assessments
Scope Data Subject Processing
Functions Technical
Controls
Pre-launch Prep
Market Surveys
Data Processing Agreements
Consents/Notifications
Data Governance
At/Post-launch Prep
Filings/Registration Compliance
Governance Consent
Management Breach
Management BAA/DPA
Management
Training – Legal/Marketing
CASE STUDY
A medical device that provides therapies that includes
capabilities including remote patient monitoring.
The device uses advance technologies such as
wireless connectivity, cloud computing and remote
device management.
The device is planned to be launched in 100+ countries.
A privacy operational model that complies countries
regulations in a uniform and cost effective manner.
KEY OPERATIONAL ACTIVITIES
Difficulty of Implementation
L M H
L
H
Le
ve
l o
f P
repa
ratio
n
M
Medium Term Quick Win Long Term
Defined Roles/Responsibilities
Compliance & IT Support Model
Data Privacy and Security Management Process
IT Training/IT Information Packet
Contracts Management
Data Privacy/Security Governance
Training
Country Legal Support Structure
Data Privacy Organization and Talent Strategy
Data Privacy/Security Change Management
Centralized Document Repository
Data Breach Management / Audit Process
Data Security Assessment
Certifications / Frameworks
Data Privacy Newsletter Subscription
1
2
3
4
1 2
4
3
5
6
7
5
6
8
9
9
7
10
10
11
11
12
13
14
12 13
14 15
8
15
16
17
17
Low Priority
18
List of Activities
KEY CHALLENGES
Covered Entity/Controller v/s Business Associate/Processor
Global templates
Data Processing Agreement (Cross Border, Third Party, Data Analytics)
Consent/Notice
Approvals from local Data Protection Authorities (DPA)
Centralized consent management solution
Global data breach management process
Data Governance, Cyber Security
KEY TAKE AWAY
Establish a baseline of privacy and security controls.
Conduct a market survey to understand local country
privacy requirements.
Establish minimum necessary standards of privacy
governance for the global operations – market, legal,
IT.
Be flexible without compromising the compliance.
Q&A & REFERENCES
EU Patients Rights: http://europatientrights.eu/
EU Institute of Innovation and Technology:
https://eit.europa.eu/eit-community/eit-health
US Health IT: https://www.healthit.gov/
Operational Impact of GDPR:
https://iapp.org/resources/article/top-10-operational-impacts-of-
the-gdpr/
US Privacy Shield: https://iapp.org/news/a/the-privacy-shield-
what-u-s-multinational-employers-need-to-know-to-enjoy-the-
benefits-of-the-newest-eu-u-s-data-transfer-mechanism/
HOW DID THINGS GO?
(WE REALLY WANT TO KNOW!)
Did you enjoy this session? Is there anyway we could make it better? Let us know by filling out a
speaker evaluation.
• Start by opening the IAPP Events App.
• Select this session and tap “Click the following link for speaker evaluations.”
• Once you’ve answered all three questions, tap “Done” and you’re all set.
• Thank you!