How evolving data regulations in China could impact pharma, life sciences

Example pattern for mobile
Example pattern for desktop

Summary

  • A comprehensive new privacy law —  the Personal Information Protection Law — is transforming the business landscape in China. 
  • Pharma and life sciences companies looking to grow in China should consider potential impacts on R&D, medical affairs, commercial, manufacturing, back-office operations and other functions.
  • Stakes are high for industries involved with improving and saving lives of patients around the world.

In a must-win market, key implications for R&D, manufacturing, commercial and back office functions

China’s cybersecurity and privacy regulations collectively have the potential to transform how pharmaceutical and life sciences companies conduct business in China. The Chinese government has set out a tighter regulatory regime around data collection, use and storage, as well as around cross-border data transfers. Up until now, shared systems, processes and workforce have been the basis for operating a multinational corporation’s business in China.  

Now companies are asking: 

  • How can we begin analyzing our systems to understand which processes and IT systems should be localized within China?  
  • What is the cost and complexity of change? 
  • What new risks should we become more attuned to as we implement change, for example, talent shortages and intellectual property concerns?

How does it all impact our China and global strategy?

Different companies face different choices. But the stakes are high for everyone in an industry that must, above all, stay focused on the core mission of improving and saving lives of patients in China and around the world. As companies reevaluate their ways to play in China, we’re beginning to see shifts:  

  • A more unified executive team that is aligning around converging business issues in China’s evolving environment.
  • New structures such as “In China, For China” operating models.
  • Closer collaboration with global service providers and/or local China partners on data localization solutions.  

Let’s focus on high-level business as well as specific functional considerations across R&D, manufacturing, commercial and back-office operations. 

Cyber and data security regulations in China

China Cybersecurity Law (CSL)

Multi-layer Protection Scheme 2.0 (MLPS)

Data Security Law (DSL)

Personal Information Protection Law (PIPL)

The CSL has been in effect since June 1, 2017. The law defines the scope of critical information infrastructure and sets the foundations for enforcing penalties on organizations and individuals who attack or break into the nation’s critical information infrastructure.

Set of technical standards and certification frameworks for business systems that went into effect in December 2019 for compliance with the provisions of the CSL.

The DSL went into effect on September 1, 2021. The law’s primary focus is to regulate data processing activities within China and the security supervision of these activities.

The PIPL took effect on November 1, 2021. It lays out additional requirements and enforcement mechanisms for personal data of natural persons located within the territory of the PRC.

Regulated data thresholds for data export

Based on the latest updates from Measures on Security Assessment of the Cross-border Data Transfer (Public for Consultation) in October 2021, the following thresholds are set which would require a cross-border transfer security assessment (transmitting or granting access to Chinese data by entities, individuals or systems outside of China).

Important data

No threshold 

A processor of the personal information (PI) of 1 million or more individuals

No threshold 

Personal sensitive information (PSI)

>10k individuals

Personal information (PI)

>100k individuals

What data is covered by these rules?

For the pharmaceutical and life sciences (PLS) industry, the landscape for data compliance is complicated given the vast quantities of confidential and scientific data that flow across a value chain that includes R&D, commercial, manufacturing and back-office processes. Companies should note that in addition to PSI such as medical history, China’s laws cover a broad category of “important data” related to national security, economic development and societal interest. While details are still emerging regarding its scope, information falling within this category is likely to include personal genetic information, clinical trial data, adverse event data and data related to experimental drugs in China.

Regulatory details are also still emerging, but what we do know is that the consequences of noncompliance could be severe. In the case of PIPL, for example, it could include jail time, a fine of up to RMB 50 million (about $7.8 million) or 5 percent of the past year’s turnover, and even the possibility of business suspension.

Regulated data under DSL & PIPL in China

Personal information (PI)
  • Name
  • Date of birth
  • Gender
  • Ethnic group
  • Nationality
  • Family relation
  • Address
  • Personal phone number
  • Email address
  • Personal information subject account
  • IP address
  • Personal digital certificate
  •  Occupation
  • Job position
  • Work Unit
  • Academic diploma
  • Academic degree
  • Educational experience
  • Work experience
  • Training record
  • Transcript

Information describing the general conditions of the equipment commonly used by an individual:

  • Hardware serial number
  • Device MAC address
  • Software list
  • Unique device identification code (e.g. IMEI/Android ID/IDFA/Open UDID/GUID, SIM card IMSI information
Personal sensitive information (PSI)
  • Bank Account
  • Identity Authentication (Token)
  • Deposit (e.g. saving amount and transaction records)
  • Real estate information
  • Loan records
  • Credit information
  • Transaction & consumption records
  • Historical transactional records
  • Virtual property information (e.g. virtual currency, virtual transactions, exchangeable tokens in games)

Records generated in connection with medical treatment:

  • Medical diagnosis
  • Hospitalization records
  • Medical instructions
  • Medical examination reports
  • Surgical and anaesthesia records
  • Nursing records
  • Medicine records
  • Drug and food allergy
  • Fertility information
  • Medical history
  • Diagnosis and treatment 
  • Family medical history
  • Present medical history
  • Infection history
  • Personal genes
  • Fingerprint
  • Voice print
  • Palm print
  • Auricle feature
  • Iris feature
  • Facial recognition features
  • National ID
  • Military officer certificate
  • Passport
  • Driving license
  • Employee ID
  • Social security card
  • Residence certificate 
  • Sexual orientation
  • Marriage history
  • Religion
  • Undisclosed criminal record
  • Communication record & content (e.g. SMS, MMS)
  • Contacts
  • Friends lists
  • Chat group lists
  • Personal track information
  • Website browsing record
  • Precise location information (e.g. GPS, latitude & longitude)
  • Accommodation information
Important data

Important Information is a legal distinction that refers to data collected and generated within China that does not involve state secrets but is closely related to national security, economic development and societal public interest. 

For the pharmaceutical industry, this information includes (among others):

  • Personal genetic information
  • Clinical trial data
  • Adverse event data
  • Data related to experimental drugs

What China’s data privacy and security regime means for your company

Functional considerations

All functional leaders should start by making sure that their systems, including R&D, medical affairs, pharmacovigilance and back-office systems, are compliant. Every function will require its own analysis based on the company’s operations in China. Here are some high-level considerations across key areas.   

R&D: China’s expanded regulatory toolkit has significant implications for your R&D, especially in the data-intensive discovery and preclinical development stages. Global electronic data capture (EDC) systems and clinical trial management systems (CTMS) and clinical data management systems (CDMS) contain huge amounts of information on patients, including medical diagnoses, hospitalization records, family medical histories and the like. While this information is aggregated and anonymized, companies should do a deeper analysis to determine if a separate instance of these systems needs to be created or localized in light of the new laws. For applications that are cloud-based (e.g., software-as-a-service products) implications need to be discussed with each vendor to determine the steps needed for compliance.

Similar considerations apply to the smaller volume of physician data that resides in systems across clinical operations (e.g., payments data). One option may be to explore outsourcing some processes to local CROs — but make sure the service provider has internal controls to be compliant with the tighter regulations. As you get closer to the regulatory approval stage, data and systems should be already localized and require less change.  

Medical affairs: Cross-border data flows are vital for pharmacovigilance, activities related to ensuring drug safety. Your medical affairs staff should conduct rigorous cross-border data transfer risk assessments across different activities such as adverse events, real-world data (RWD) and real-world evidence (RWE). Multinationals currently enhancing their data-transfer controls for EU General Data Protection Regulation (GDPR) will need to consider an augmented approach for Chinese data. Ask your ERP vendor, if we localize these databases, how will we integrate critical information from China into global data sets? What kind of quality controls need to be in place to reconcile local and global data sets in such instances? 

Commercial: PLS companies will probably have to shift to a local version of cloud for the Chinese customer data. That’s a challenge because global customer relationship management (CRM) systems support centralized databases and more insightful data-driven decisions about customer segmentation and targeting. New artificial intelligence (AI) technologies offer scalable solutions and commercialization opportunities built on massive volumes of data.  

Ask yourself, how can we continue to assemble the right mix of technology, data and skills for stronger revenue growth in China in the face of data localization? The good news for commercial operations is that patient support services — providing nurses, setting up patients with specialty pharma and supporting submission of health insurance claims — won’t feel the brunt of the new regulations. These processes tend to be more localized and will likely require few changes. 

Manufacturing: Large ERP systems support the manufacturing operations of global PLS companies from the initial planning stage to sourcing, making, delivery and quality control. Say a company with a manufacturing footprint in China imports an active pharmaceutical ingredient (API) from Europe, creates a drug product in China and sells it across Asia. Creating a local instance of ERP in this case will introduce complexity, such as inefficiencies in logistics flows and capturing profits. Moreover, global procurement systems are typically linked to the ERP platform. Localizing them could mean renegotiating contracts with suppliers.

Overall, manufacturing systems involve less cross-border data transfer, but they need to be managed with the same rigor because these systems are critical to the health and well-being of Chinese nationals. Consider, for example, the risk of disruption in the supply chain if a China-based manufacturer of diabetes medication is affected.

Back office: The immediate focus of PLS companies is on ensuring they are compliant with requirements related to processing and cross-border transfer of patient and physician data. But companies must also conduct rigorous risk assessments for other sensitive information such as employee data in human resources systems and bank information in financial management systems. You may choose to work with your global service provider or go with a local partner. It’s increasingly likely that global cloud service providers will stand up localized instances of the systems to comply with the Chinese laws. If you rely on local Chinese services providers for things like payroll, billing and local tax solutions, confirm that they have the right internal controls in place. When working with local service providers, it’s just as important to manage global risks, such as ensuring intellectual property protections in the supply chain. 

Business considerations

The regulatory environment may require a larger shift in Chinese business strategy, including managing increased costs and risks as well as finding new opportunities in a transformed marketplace. Companies considering transformation and/or restructuring of operations must ensure compliance while continuing to advance patient care in the most efficient way possible. A global company with a legacy presence in China is likely to have different choices than a small company considering entry into the China market. It’s just as important to monitor the dynamic geopolitical environment and its implications for the PLS sector and develop an understanding of how these regulations might indirectly support China’s national security and economic objectives. 

Transforming operations: PLS companies rely on several enterprise applications to store, analyze and flow through personal data, including CRM, clinical trial management, procurement, supply chain management, and manufacturing execution systems, among others. Investigate each system to determine which ones contain regulated data and need to be localized. But rather than creating a separate localized instance of every system for China, assess the full array of choices. You may be able to segment and partition off parts of a system. Your current ERP platform, for instance, may already have features to support data localization of specific processes for the China market. 

Changing systems has implications for people and processes, including:

  • People and skills to manage local data and workflows.
  • Security and controls over dataflows, aggregation and reporting. 
  • Technology systems to keep the local unit connected to the global company. 

Structuring operations: This is an opportunity to reevaluate your current or planned structure for China. Options could range from setting up a separate subsidiary for China to creating an alliance or joint venture with a China-based firm or CRO to take advantage of the infrastructure already available and increase market access. For example, a PLS company that processes human genetic data (categorized as important data) would have to collaborate with a domestic Chinese organization. Strategic collaborations can help your company navigate regulatory complexities around the world. If you’re an established US company with an operating footprint in China, you’re probably already well-versed about the evolving regulatory environment under the oversight of the Cyberspace Administration of China (CAC). This could be an opportunity to position your company as a partner of choice for R&D and manufacturing activities in China for other multinationals.

Any shifts in China will have implications for overall business strategy and performance, so CIOs and CISOs will need to collaborate with other functional leaders and executives in evaluating the case for change and making informed business decisions.  

Navigating China’s cyber and privacy rules

Actions companies take in China could provide a useful template for other economies. We recommend a number of broad next steps, but other pathways are possible depending on a particular company’s maturity and the scale of its China operations.

  • Review each system across every function. Pay particular attention to the systems that support data intensive activities, especially cross-border transfer of sensitive information and important data. 
  • Explore your options such as segmenting systems for China, standing up a local instance through a global service provider and considering new strategic outsourcing service providers. 
  • Collaborate with your entire C-Suite and your board to make sure changes are aligned with the broader business strategy. 
  • Plan for an “In China, For China” operating model with an enterprise-level project management office. 

With a comprehensive and rigorous approach, your PLS company can maintain compliance while advancing patient care in the world’s most populous country.

Reimagine Risk. Unlock Opportunity.

Cybersecurity, Risk & Regulatory

Change the way you see risk. Change the way you see the future.

Learn more

 

Cyber & Privacy Innovation Institute

Pharmaceutical and Life Sciences Regulatory & Compliance

Rethink risk and compliance to drive strategy, capabilities and performance.

Learn more

 

Glenn Hunzinger

Health Industries Leader, PwC United States

Email

Nalneesh Gaur

Principal, TX, PwC United States

Email

Robbie Higgins

Principal, Information Technology, PwC United States

Email

Next and previous component will go here

Follow us