After successfully surviving the first month of Q4, we have our sights set on 2023 and what next year will bring. Winter aromas are not yet wafting from warm hearths, but the conversation with Vishal Parmar, Head of International Privacy at DaVita International, a healthcare organisation providing dialysis services, and Anna Nicola, Director at TransPerfect Legal Solutions, will spice up your coffee break.
Vishal, you serve as Head of International Privacy at DaVita International with healthcare operations in 11 countries around the world. The nature of your role leads you and your team to work closely with (virtually and in person) all business units in the organisation.
I am the Head of International Privacy reporting to the GC, with close interaction with other business leads. The International Privacy Group consists of functional DPOs and privacy professionals in every market. We meet regularly to ensure we are aligned on strategy, new geopolitical trends impacting privacy regulations, and more.
We understand the close relationship between technology and a successful privacy programme. I work closely with the Head of International IT: we formulate strategies and plans for the deployment of our international privacy framework into new emerging and upcoming markets and have created a strong collaboration throughout the year that I think is crucial to successfully protecting our teammates and patients.
It seems DaVita truly embraced embedding measures and privacy-enhancing technologies directly into the design of information technologies and systems. This truly helps privacy teams to be proactive and preventive but also ensures full functionality, end-to-end security, and visibility across the organisation. After 30 years of working with organisations all over the world, TLS witnessed how businesses have become increasingly engaged and tech sophisticated. Whilst having a multifaceted understanding of both real-time operations needs and the financial impacts of business decisions, in-house privacy and legal teams have to be increasingly data driven.
Privacy by design seems to foster cross-functional collaboration and lead to greater transparency across the business but I understand that it is also crucial to adapt it to the organisation, business units, and regions.
Our bespoke approach is driven from the uniqueness of our framework in the healthcare space. Projects are genuinely signed off with privacy as part of that initial scope of activities, so we limit or eliminate surprise elements and have constant conversations during the rollout of new projects. This includes the deployment of technologies: we think about privacy measures and controls, to implement, integrate and embed into new initiatives.
As an example, we have created a comprehensive Transaction Management Handbook for our M&A activities to ensure we are pragmatic and use solutions that are proportionate to achieving our goals, whilst remaining compliant with regulatory requirements. Efficiency and simplification are key drivers in that. The risk of creating programmes that are very theoretical and difficult to digest for non-subject matter experts is high.
My goal is to ensure that data privacy is lived out throughout the organisation. Privacy notices, policies and procedures are as interactive as they are actionable, and anything different can constitute a big risk to implementation and compliance. Making the information digestible is part of our role as experts, but I found having privacy champions outside the legal team to be extremely helpful. They help to ensure the privacy element is considered in their business initiatives but will naturally receive regular training and updates from the privacy team to ensure they are not siloed, and all divisions remain connected.
Seems this fits the need to adapt to change consistently across markets, business units, and times!
We are witnessing an interesting increase in regulatory complexity and can foresee the evolving data and tech landscape will lead to growing stakeholder awareness and involvement in the privacy programs of businesses. There are several conversations happening globally we can already see shaping new trends in 2023. To name a few: the CPRA, new privacy regulations in China and the use of third-party cookies, stricter requirements for cross-border data transfers, and new EU directives. Recently, privacy has evolved beyond regulatory compliance and into a new era of integrated data governance and trusted data use (of which your work at DaVita is exemplary).
From a privacy perspective, it’s crucial to look at all these changes on the horizon, how processes and procedures could be made easier, to what extent, and in what jurisdictions. This means you need to map out trends and changes and how strategy and overall framework will be impacted. It's tempting to have a one- size-fits-all solution or approach, but the truth is that route does not capture market nuances.
There are conversations we are following attentively including the draft Regulation on the European Health Data Space in Europe, which aims to make it easier to use (and re-use) electronic health data throughout the EU, and the Data Protection and Digital Information Bill in the UK, as part of the UK’s proposed data protection reforms following Brexit. We are also witnessing an increase in penalties for non-compliance in China, Japan, and Singapore (historically always lower than the EU).
International data transfers is another focus area for us. Over the last few years, we have on-boarded new tools to assist us in our intragroup data transfers, but that opens the door to other challenges and ensures we have a strong justification model in place. Amongst others – probably the most interesting – is how to truly achieve anonymisation for research purposes in the digital health space? This is particularly complicated from a healthcare perspective. Aggregation and pseudonymisation are other options discussed when considering solutions outside encryption. There is a real lack of consensus across the industry on how to achieve each of those different methods and scepticism as to whether new regimes in both the UK, where the UK data protection regulator has recently issued draft guidance on the topic, and Europe will be able to crystallise practical guidance. Common themes include whether complete or absolute anonymisation is even possible to achieve at all and whether that would be desirable in all circumstances, or whether irreversibility in its various guises suffices if the identifiability risk is acceptable. Much of this is still to be tested conceptually and practically. Things become even more complex if research is conducted internationally, where for example the standards on de-identification from a US healthcare regulatory perspective may not be consistent with the rules on anonymisation in other countries.
Despite the uncertainty that exists, I think we just need to remain pragmatic and make an objective assessment in the context of all the factors available to ensure personal data has been effectively anonymised.
Is there something that is working in your team that legal professionals can absorb to overcome challenges? It seems you act as a bridge across business divisions and thus see legal through a different lens. What advice would you give to the GCs across the industry?
Take a step back, evaluate the different business processes and focus your time on the areas that create risk. Ask yourself: who or what functions are the key movers and shakers in the business? What is it that they do and what role do they play in the overall success of the business? That’s where you should have a designated privacy champion in place because they are the critical local stakeholders who will ultimately help you deliver on your strategic aims. You need to have a process in place that helps people, you, and the team partner on these initiatives and establishing an appropriate governance structure can also help to reduce data privacy risks.
This article was first published in The Month November/December 2022 Edition by Global Leaders in Law.