Data protection and privacy for GDPR


The General Data Protection Regulation (GDPR) for European data has been in effect since May 25th, 2018. Network provides several features to help you with GDPR requirements.

The following table lists some common requests that you might have regarding GDPR, the Network tools that you can use, and considerations for external processes that you might establish, outside of Network, to satisfy the requirements for GDPR.

Requests Network Actions Things to consider
An HCP has requested an extract of their personal data that is stored in Network. ("Right of access") Leverage Network's reporting and data export tools:
Network Reporting
Data export
Export from search
Establish a process allowing HCPs to request and receive an extract of their personal data that is stored in Network.
Downstream systems might store additional data on the HCP, which needs to be provided as well. Network Entity IDs or Alternate IDs generated by Network can help you to identify records in downstream systems.
An HCP has requested to delete their personal data. ("Right to erasure") Depending on your internal policies and processes, you can leverage Network's tools for data privacy and record deletion:
Option 1
Data privacy opt-out
or
Option 2
Delete locally managed records
and then
Anonymize records
Create an organizational process for HCPs to request erasure of their personal data.
Establish a technical procedure to erase personal data from Veeva Network. See Deleting data.
Take into consideration whether records are externally mastered. Request that the HCP record is unsubscribed by Veeva OpenData. For more information, contact Veeva Support.
If the records are third party records, see Unsubscribe to third party records.
Establish a procedure in downstream systems to manage records that were deleted and anonymized or opted-out in Network.
An HCP has requested to update their personal data ("Right to rectification") Update the HCP record:
Edit HCP records
Data change request
Create a process so HCPs can request updates to their personal data that is stored in Network.
An HCP has requested to block or suppress the processing of their personal data ("Right to restrict processing") Use Network's Data privacy opt-out to restrict access to that record. Create a process so HCPs can request that the processing of their personal data is restricted.
Establish a process to notify downstream systems about opted-out records.
An HCP objects to the processing of their personal data. ("Right to object") Depending on your internal policies and processes, you can leverage Network's tools for data privacy and record deletion:
Option 1
Data privacy opt-out
or
Option 2
Delete locally managed records
and then
Anonymize records
Create an organizational process for HCPs to object to the processing of their personal data.
Establish a technical procedure to erase personal data from Veeva Network. See Deleting data.
Take into consideration whether records are externally mastered. Request that the HCP record is unsubscribed from Veeva OpenData. For more information, contact Veeva Support.
If the records are third party records, see Unsubscribe to third party records.
Establish a process in downstream systems to manage records that are deleted and anonymized or opted-out in Network.
An HCP has requested to move, copy, or transfer their personal data across different services. ("Right of data portability") Leverage Network's reporting and data export tools:
Network Reporting
Data export
Establish a process allowing HCPs to request the transfer of personal data stored within Veeva Network to different services.
Access to data should be limited to those who need to see it.
("Data Minimization")
Control user-specific access to HCP types per country using Data Visibility Profiles.
Control user-specific access to data model fields and sub-objects using Page Layouts.
Define personal data access rules for Veeva Network users.
Records that have never been used or are no longer being used should be removed. ("Storage Period Limitation")

Depending on your internal policies and processes, you can leverage Network's tools for data privacy and record deletion:

Option 1
Data privacy opt-out
or
Option 2
Delete locally managed records
and then
Anonymize records

Establish rules and procedures to ensure that personal data is not stored within Veeva Network longer than is necessary.
Establish a technical procedure to erase personal data from Veeva Network. See Deleting data.
Take into consideration whether records are externally mastered. Request that the HCP record is unsubscribed from Veeva OpenData. For more information, contact Veeva Support.
If the records are third party records, see Unsubscribe to third party records.
Establish a process in downstream systems to manage records that were deleted and anonymized or opted-out in Network.
Personal data within Network should be accurate and kept up-to-date. ("Data Accuracy") Use Veeva OpenData or third party data providers as a source of accurate personal data:
Veeva OpenData subscriptions
Source subscriptions
Use Data quality reports to proactively identify inaccurate data
Establish rules and procedures to ensure that only accurate data is processed within Veeva Network.