Data privacy

Veeva Network contains features to help you administer your data for data privacy and maintenance. For example, the features enable you to support requests from HCPs to restrict or remove their personal data to comply with the European General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA).

Depending on your internal policies and how restrictive you require the data to be, you can do one of the following actions:

  • Restrict records so that they can no longer be accessed and updated.
  • Delete HCO and HCP records. HCP records can then be anonymized so that personally identifiable data is completely removed.

Data privacy laws

Recently, laws have been created to give people rights relating to the access, deletion, and sharing of their personal information when it is collected by businesses.

European General Data Protection Regulation (GDPR)

The GDPR law has been in effect since May 25th, 2018. This was a first-of-its-kind policy for consumer data protection and privacy.

For more information about how to use Network features to comply with GDPR requirements, see Data protection and privacy for GDPR.

California Consumer Privacy Act (CCPA)

The CCPA went into effect on January 1, 2020. It is likely just the first of its kind in the United States.

Under this law, doctors in California can request that their data be blocked or restricted. To comply with these requests, restrict user access to the data using the Data privacy opt out feature.

Restricting HCP data

Restrict user access to HCP records by flagging them as opted-out.

  • Data privacy opt-out - If HCPs request that their data be restricted, you can flag the records as opted-out.

    Opted-out record behavior:

Deleting data

Delete records for data privacy or maintenance.

  • Delete locally managed HCP and HCO records - Use a data maintenance job to set HCP and HCO record states to Deleted. A Deleted record state is considered a soft-delete; the records will not be searchable in your Network instance, but the data can still be accessed; for example, through reporting.
  • Unsubscribe from third-party records - Contact your third party data provider and then use source and target subscriptions to set the record state to Deleted and update your downstream systems.
  • Unsubscribe from Veeva OpenData records - Use a data maintenance job to unsubscribe to specific HCP and HCO records and set those records states to Deleted.
  • Anonymize HCP records - HCP records that have a record state of Deleted can be anonymized so that all personal data is completely removed from the record. An anonymized record is completely inaccessible in the Network instance. If the record is exported to downstream systems, only the non-personal record data (created date, Network entity ID, and so on) can be viewed.

    Use the delete and anonymize features together to process HCP records for GDPR compliance.

    Example: Process for anonymizing locally managed HCPs

    These data maintenance jobs are also useful for removing records from your Network instance that are no longer being updated.