Current Edition

New Technology and Automation in Labs: Data Risks and Privacy Compliance Issues

Within healthcare and life sciences, data science plays a major role in research and innovation. Improvements in computational speeds, storage capacity and connectivity across different platforms, systems and sampling equipment, mean that laboratories and research facilities are often the testing grounds for the use of advanced analytics including Big Data and Artificial Intelligence (AI).

Alongside the innovation and efficiency benefits of process automation, integrated workflow management, and collaborative research, comes increased exposure to data risks – some less obvious than others.

Often this is also compounded by competitive pressures and agile working methods, resulting in demands for upgrades to data solutions and IT systems that bring new functionality, quicker results or more efficient processes.

Such pressures can then put greater responsibility on those testing and approving these systems when it comes to identifying potential new data risks or privacy compliance issues.

Data Protection and Privacy Regulation

The strengthening of data protection and privacy laws such as the EU General Data Protection Regulation (EU GDPR), as well as sectorial obligations and targeted rules relating to the use of medical records, diversity indicators, genetic data, and human tissue samples etc., provide a complicated framework for compliance.

Often, they also provide the legal grounds for challenges, complaints, compensation and regulatory enforcement when things go wrong.

Under GDPR, there have been a number of high-profile investigations and enforcement actions involving data breaches or mishandling of data by pharmaceutical and their respective technology and solution providers.

In the instance of a medical software solution provider, records of nearly half a million individuals were exposed during the migration from one software solution to another. The data protection authority raised a number of concerns, including the lack of data encryption and that there was no automatic deletion of data after the migration process had been completed.

The Cost of Non-compliance

Failure to properly manage data within the laboratory may have significant commercial implications when it comes to loss of intellectual property and delays to product development due to data quality issues. There are also indirect costs relating to reputational harm to investors, partners and professionals.

According to IBM’s 2022 Cost of a Data Breach Report,1 the pharmaceutical industry ranked third – behind healthcare and financial services – when it came to the highest average total cost of a data-related breach.

The average cost for dealing with a data breach in pharmaceuticals currently stands at over USD $5 million, and over USD $10 million in healthcare. For the same period, the industrial industry including chemical, engineering and manufacturing, saw an increase to an average of nearly USD $4.5 million per breach. Factors for these costs include the regulated nature of the sectors, the volume of confidential and sensitive data being processed, and the scale and nature of the technology and data services being used to support these industries.

Five Key Considerations When Undertaking Data Protection Impact Assessments

Data protection impact assessments are essential to avoid falling foul of the regulation and paying the price for non-compliance. Companies should pay particular attention when updating laboratory technology and automating laboratory processes, as there are many factors involved in identifying and addressing the associated data risks:

  • Extent of Data Collected

Firstly, it should be determined whether all of the data collected or held by the system is necessary to support the intended purposes. Where possible, datasets should be anonymised or pseudonymised beforehand, or in some cases, it might be preferable to use synthetic data (namely data that reflects the computational value of the dataset but does not refer to real individuals). Note that even where data has been deidentified, it may be possible to re-identify the individual through other data sources held by the organisation or a third party, therefore care should be taken to assess the risk prior to publishing or sharing even anonymised data sets.