GDPR Compliance with Veeva Network - Part 2: Managing HCPs that opt out from OpenData


In case you browsed directly to this page, let me state once again that I am a product manager and not a legal adviser. You should not rely on any information from this blog as legal advice. This blog is only based on my personal experience of talking to our legal team and various customers over the last four years, and it just represents my personal understanding of the GDPR. For any guidelines on how to comply with GDPR, you should always rely on legal advice from the legal counsel of your organization.

Managing HCPs that opt out from Veeva OpenData

When you are a subscriber of Veeva OpenData, an HCP that uses their “right to be forgotten” against OpenData will also have an impact on your organization. Typically, an HCP only opts out from OpenData, but they are perfectly fine with the fact that your organization stores and processes the data. So, this means you want to make sure that you can continue the engagement with the HCP even after they opted out from OpenData.

The first time that you will learn that an HCP opted out from OpenData in Europe is usually through the email notification that is sent out by OpenData every two weeks. In order to give their customers a heads-up about upcoming opt-outs, the OpenData team in Europe sends out an email notification to all the customers that have subscribed to the respective HCP record. And then 10 days after the email notification was sent out, the opt out will take effect. So, if you are not on the subscriber list for that email notification yet, I highly recommend reaching out to your OpenData representative to get on that list.

Now what exactly happens after those 10 days and how are you impacted by that?

Default Setting

By default, the HCP record becomes inaccessible through the Network UI, which means you can no longer search for the record or access its profile page. You can still access the record in Network via reporting, the API, or target subscriptions, but the record will be anonymized. This means all fields that store personally identifiable information will be masked or blanked and only the system-managed fields like Network Entity ID, record state, last modified date, etc. will retain their values.

In Veeva CRM, the HCP record will also be anonymized in the same way as in Network. The record stays an active and valid record, and it remains on the reps territory, but it is completely anonymized and any data change request will be auto-rejected.

In essence, the HCP record becomes useless after the opt out takes effect in Veeva OpenData because the record is not provided to you by OpenData any longer. You are obviously not getting any updates, the record is anonymized, and data change requests are no longer processed by OpenData.

This is, of course, a significant disruption to your sales and marketing activities if the HCP has not revoked their consent to engage with your salesforce. Therefore, to prevent that disruption and to continue the engagement with the HCP, I highly recommend you to change the default setting on your OpenData subscription and enable the conversion of OpenData opt-outs into customer-managed records.

Converting OpenData Opt-outs into customer-managed records

Converting OpenData opt-outs into customer-managed records is super easy: you just need to tick one checkbox on your OpenData subscription for a specific country and you are done with it. After you enable this feature, all future opt-outs that occur in OpenData are automatically converted into customer-managed records (the conversion only happens after this feature is enabled; any opt outs that occurred before this feature was enabled are not retrospectively converted).

And conversion does not mean that the record is cloned into a “grey” record. The HCP record stays exactly the same record with the same Network Entity ID, it just changes its record owner from “OpenData” to “Local”. This means that the opt-out is completely non-disruptive to Veeva CRM and other downstream systems. Since it is still the same record with just a different record owner, the downstream systems are not impacted at all and can continue using the record as before.

So this feature is very quick and easy to implement, and it drastically simplifies the management of OpenData opt outs. Unless there is any good reason against it, I recommend all OpenData customers to enable the feature. For more information on how to use this feature, please refer to Converting opt-outs from OpenData into local records in the online help.

Keeping track of converted records

Enabling the automatic conversion of OpenData opt-outs into customer-managed records basically eliminates the need to monitor and act upon these opt-outs because they are automatically converted. However, a question that almost always comes up from customers is: How will I know which of my records were converted from orange records?

This is a legitimate question because you probably want to keep track of these records for several reasons. On the one hand, you need to make your local data stewards aware of these records because your organization has now taken over the ownership of these records. And on the other hand, you probably want to confirm there is consent in place from the HCP to store and process their personal data.

Luckily, it is very easy to identify any converted records through a specific custom key. You can use a report to monitor any converted records in your instance by filtering on that specific custom key. There is an example of such a report already included into our online help.

HCP Opt-Outs returning to OpenData

From time to time, it also happens that HCPs are returning to OpenData after they have previously opted-out. So, the question here is what happens when an HCP was converted from an “orange” record into a “grey” record and then afterwards opts back into OpenData? Will the “grey” record be converted back into an “orange” record?

The answer to this question is “No”. After an OpenData record has been converted into a customer-managed record it means that OpenData has given up that Network Entity ID and the record stays customer-managed permanently. If an HCP returns to OpenData, then the OpenData team will create a completely new record under a different Network Entity ID. You can then download this new record from OpenData and merge your “grey” record into this new “orange” record.