What is GDPR Changes introduced and Global impact

What is GDPR Changes introduced, and Global impact. Daniel PRADELLES Director – Global Privacy Office European Data Protection Officer MSD France 6 th International Congress on Personal Data Protection Santa Marta – Colombia – June 7 th – 8 th, 2018 Global Privacy Office

Compliance Focused Agreed Principles t in Geographic Emphasis eg In Li ula t te m ro ite ory pe d ty ra bi li Innovative Drives growth Global Complex Dynamic Exponential increase Multi stakeholder • po Strained Frameworks Privacy risky New business and societal trends • Real World evidence • Digital Health Preventive medicine • Patient ubiquitous monitoring • Internet of Things Slower & formal pace S • Accountability • Global Interoperability • GPEN (enforcement) • Common referential • BCR, CBPR, MC, • Privacy Shield • Risk-based Diverging Implementations R A oc s i ch kin eta an g f l ge or Regulator Vision and Tools B Te usi ch ne n ss B re y olo & ak g PRIVACY ECOSYSTEM: At center of overlapping domains PRIVACY Lasting Protection Consent & Control Political Pressure Responsive Laws Increased sensitivity • Asking for trustful providers • Ethical approach • Socially responsible • Better awareness • Slowed acceptance • Technology defiance • Appetite for new Apps Change required on way to consider and manage Personal Data Processing Global Privacy Office

EU GDPR – Global Privacy Office An answer to the need for change DP

What is (Really) New? ACCOUNTABILITY - requires organisations to demonstrate compliance GEOGRAPHICAL SCOPE– Applies to EU(& EEA) residents as soon as serviced or monitored BREACH NOTIFICATIONS – report to regulator within 72 hours or without delay to data subject if serious harm RIGHT TO ERASURE – Data Subjects can request the deletion or removal of personal data RIGHT TO PORTABILITY - enables individuals to obtain their personal data and reuse it as they wish CONSENT – Stricter requirements around collecting and managing consent SPECIAL CATEGORIES OF DATA – Stricter requirements for processing – Race, Ethnic origin, Political opinions, Religion, Trade union membership, Genetic data, Biometric data, Health data, Sexual orientation related data. PRIVACY BY DESIGN - Promotes privacy and data protection compliance along processing lifecycle FINESGlobal – Significant fines can be imposed on organizations in case of repeated failure to comply Privacy Office Ø Directive 95/46 and Regulation 2016/679 (GDPR) are based on same principles

GDPR – IN A GLOBAL CONTEXT Inspired from David Banisar 12/. 2016 Similar GDPR Close to GDPR Specifi c Sectora l Similar GDPR Close to GDPR Inspire d Specifi c Similar GDPR Global Momentum & need for bridges & Gateways Global Privacy Office Comprehensive Data Protection Law Enacted Pending Bill or Incitative to Enact Law No initiatives or no information

Organizations Change: New approach & New mindset? Integrated governance plugged with internal & external business & regulatory changes with risk & benefits consideration. Comprehensive set of Executive commitment, policies, implementation mechanisms & Validation. Transparency, demonstration and ongoing Dialog with all stakeholders from Regulators, Data subject to Civil Society. Global Privacy Office 6

Responsible Organization Risk approach ? where? ? ? Which ones and for whom … and l a n ter In Bus in Reticence Inve stme nt t ta Repu Com plian ce Global Privacy Office ? ion ess. Creeping Extern al Data Subje c Expe ts Societal ctatio nd n Impacts a s Ethica l Risks. Benefits ber ity y Political & C cur e Economicals

Organizations need a “True” Accountable Approach Thinking Compliance as a Result of an integrated Governance INCREASE TRUST (FOR CONSUMERS, CLIENTS & REGULATORS AND THEREFORE FOSTER BUSINESS) SUPPORT GLOBAL INTEROPERABILITY ADDRESS NEW CHALLENGES ENSURE EFFECTIVE DATA PROTECTION (DECREASES REGULATORY COMPLEXITY BY CREATING BRIDGES) (UPFRONT RISKS AND HARMS CONSIDERATION FOR NEW TECHS & NEW BUSINESS MODELS) (FROM THEORETICAL TO PRACTICALLY DEMONSTRATED COMPLIANCE) Company Governance and Accountability Culture from “C suite” to Field level Global Privacy Office 8

Privacy @ MSD – The setup Global Network of 184 Privacy stewards Country/ Business/ Function Global Privacy Office Company’s Policies are EU based and applied globally EU & Country DPO Global Privacy Program GDPR Global Momentum Global Privacy Office

Privacy @MSD – Stewards Collaborative MSD Ecosystem External Other Functions Privacy Country Privacy Steward GHH Compliance Steward MRL Country Privacy Steward MAH Compliance Steward MMD & Compliance stewards Global Privacy Office O DP Business & Regulatory Environment Ø Different Business, …Different Priorities Ø Same Governance, …Same Company Ø Unified Global framework, …Consistent Local execution Ø Steward may cover, …several countries or a cluste 10

SUMMARY: Merck Global NEW Privacy Context INTEGRATED GOVERNANCE COMPLIANCE CONTEXT Modernized, Centralized Streamlined, Future oriented Company Wide Accountability, Engagement, Commitment Global Privacy Office BUSINESS CONTEXT

Privacy / Data Protection with Ethics and Respect of individuals… It starts before & goes far beyond Compliance “We try never to forget that medicine is for the people. It is not for the profits. The profits follow, and if we have remembered that, they have never failed to appear. The better we have remembered it the larger they have been. ” George W. Merck Address to the America College of Virginia Richmond, 1 st December 1950 Global Privacy Office

THANK YOU Daniel PRADELLES Director – Global Privacy Office MSD France Global Privacy Office