By now, most people are pretty clued up on what the new general data protection regulations (GDPR) mean to them and their data. The urgency to change systems and processes seems to be subsiding, yet surprisingly as many as 38% of global organisations still believe they are not compliant with the new requirements (1).
For an industry that is so tightly regulated, it would be natural to assume that when it came to the regulations introduced in May this year, the pharmaceutical industry would already be relatively compliant. But we all know what assuming does, so at earthware we decided to look into the website compliance of the UKs top 50 pharma company corporate sites. The results were somewhat surprising.
What did we do?
We ranked companies based on their total transfer of value disclosure during 2016 and selected the top 50, then using our inhouse technical knowledge and expertise we created a checklist of fundamental criteria for both GDPR compliance and digital best practice. This covers everything from data handling and cookie monitoring to error pages and SSL certificates. Responses were assessed using a traffic light system, with green indicating compliance, amber showing missed opportunities to limit risk or fully comply and red a significant chance of beaching regulations.
Findings*
GDPR
Overall, in terms of GPDR every site we evaluated received a red rating in at least one area, with many sites given an amber rating. This highlights that as an industry, there is still some way to go to be fully compliant and to limit risks and avoid potentially large fines.
The area of biggest surprise was in relation to privacy policies. Only 26% of websites had policies which covered all elements required by GDPR. More surprisingly, 10% didn’t have a privacy policy at all despite collecting personal data.
Cookie bars were another area of concern. GDPR builds further upon the previous ICO cookie law. In accordance with GDPR, websites must explicitly ask for clear, positive consent and access shouldn’t be denied or restricted if this consent isn’t given. Although most sites demonstrated a cookie bar that was compliant with the ICO law, only one of the sites reviewed had developed this into a fully GDPR compliant bar.
Best Practice
The industry faired much better in terms of best practice, with most sites using sitemaps and breadcrumbs. The biggest area for improvement seems to be the use of 404 error pages. These are pages that are displayed when users try to access old or broken links. In line with best practice and ABPI requirements these pages should contain a link back to the home page (or similar), contact details and adverse event reporting links. Over 50% of sites didn’t contain the required elements. Again, showing the industry still has a distance to go to compete with other industries in delivering high quality digital content.
*Findings correct as of the 5th June 2018
Summary
Since its introduction in May it appears the pharmaceutical industry still has some way to go to be fully compliant with GDPR and avoid unnecessary fines. It is also important to consider reputational damage, the industry is constantly battling to maintain standards against a number of unfavourable press stories, failure to comply with these regulations will result in further loss of public trust and reputation. Get in touch with us if you’d like to know more about our findings.
Of course, whilst considering the pharmaceutical industry it is also important to look at adherence to the ABPI code of practice. In addition to the criteria we developed for GDPR and best practice, we also reviewed PMCPA complaints over the past 2 years and developed a comprehensive set of compliance criteria looking at all areas from HCP access, adverse event reporting, prescribing information and links to external sites.
For further information or to find out how we can help you ensure your websites are of the highest standards contact us – info@earthware.co.uk.
