Featured Article: Ensuring Trust in Pharmaceutical Supply Chains Publication
PharmaLedger is highlighted in a recent publication that covers GDPR compliance for blockchain-based solutions in pharmaceutical supply chains.
Pharmaceutical supply chains are complex structures that are highly regulated in the EU. Ensuring compliance with legal and regulatory requirements is crucial for building effective supply chains and protecting public health. Blockchains can bring many benefits to these areas, but there are also many challenges when designing and deploying compliant blockchain solutions.
The new publication “Ensuring Trust in Pharmaceutical Supply Chains by Data Protection by Design Approach to Blockchains” examines pharmaceutical supply chains using blockchain technology and the challenge of complying with the EU’s General Data Protection Regulation (GDPR). The author of the publication is PharmaLedger’s Co-lead for Regulatory, Legal and Data Privacy Framework Halid Kayhan (KU Leuven). Our PharmaLedger project is used as a case study to support the topics covered within the publication.
You can read the full publication by clicking the link below, or continue reading our short introduction summary.
How Blockchains Can Benefit Pharmaceutical Supply Chains
Pharmaceutical supply chains include complex processes, where a lack of transparency often prevails due to the size and number of actors involved. Theft, siloed information, lack of traceability, falsified medicines and communication gaps are some of the challenges in today’s healthcare supply chains.
Blockchain is one type of distributed ledger technology that offers a verifiable way to record data. This technology benefits healthcare supply chains by ensuring trust, data immutability, transparency and audibility. It can also create more efficient processes and assist in establishing a more transparent system by tracing medical products, from the start of production to the hands of the end user.
GDPR’s Relation to Pharmaceutical Supply Chains
Pharmaceutical supply chains are subject to strict regulations in the EU in order to protect the public from harmful drug effects and privacy-related matters. This comprehensive strategy covers all levels of the pharmaceutical value chain and starts long before the medicine is brought to the market.
Two rights are highlighted in the publication: privacy and data protection. These two rights, which are closely connected to each other, should be seen as the main legal and ethical issues when designing, deploying and maintaining blockchain-based healthcare solutions. There are, however, still many incompatibilities between GDPR and blockchains that require further attention and clarification.
GDPR and Blockchains Challenges
GDPR is the main legal instrument in the EU, and due to its logic based on centralised networks and the need for the ability to correct inaccurate data, it is seen as contradictory to blockchains by their nature. This is the greatest challenge when building blockchain platforms and processing personal data.
The publication highlights a study conducted for the European Parliament that lists the reasons for the many tensions between GDPR and blockchains:
- GDPR is founded on the principle that there is one natural or legal person (“data controller”) who is responsible for GDPR compliance. In blockchains, this is not the case, since there is not one central actor in control. This GDPR compliance responsibility is difficult to enforce.
- Articles that state the “Right to Rectification” and the “Right to Erasure” seem to be contradictory to blockchains, where erasing data is often impossible due to the immutability feature of blockchains.
In a personal interview with PharmaLedger, Halid explains:
“This publication could guide actors in healthcare or other domains that process personal data and deploy blockchain solutions so that it’s compliant. GDPR assumes there is one entity that is accountable for the individuals whose data is processed. This is the first problematic point.
If there is any data processing that is not correct, there should be a possibility to correct and delete this if the individual wishes to no longer process his or her data. In blockchain, the immutability feature is an append-only technology, so it’s difficult, if not impossible, to erase the data already stored on it.”
“Erasure” is not defined in the EU’s GDPR. Different countries have different approaches to the erasure concept. Halid hopes there will be EU guidance on how to apply GDPR in blockchain-based platforms or use cases in the near future.
Blockchain does, however, support certain GDPR objectives, such as
- data sovereignty
- giving individuals better control over their data
- empowering them to be able to share personal data with trusted third parties
- having the right to data portability.
The publication goes into detail about the different types of personal data that are processed on blockchains and how GDPR views them. It also covers topics of responsible parties in blockchain to ensure GDPR compliance, data protection principles, data subject rights, and data protection by design and default. Readers are encouraged to refer to the publication to become familiar with these terms and the challenges of implementing blockchains in the EU according to GDPR standards.
PharmaLedger Project – A Case Study
The PharmaLedger project has been used as an example by Halid to show blockchain realisation in pharmaceutical supply chains. As an EU-funded project, PharmaLedger aims to provide healthcare solutions that are scalable for other use cases while complying with numerous legal requirements, including GDPR. It also aims to improve patient safety and product traceability by laying the groundwork for using blockchain solutions and serialisation throughout the healthcare supply chain.
PharmaLedger uses a multi-layer blockchain solution that is technologically agnostic, meaning that various blockchains and use cases can operate. The publication highlights the concept of OpenDSU (Open Data Sharing Unit), which stores data off-chain while being anchored on a parent blockchain. This allows for greater data protection, security and confidentiality.
PharmaLedger – Complying with GDPR
In order to be GDPR-compliant, it’s important to implement data protection by design and by default process from the very beginning. All PharmaLedger use cases are developed in a compliant way from the ground up. PharmaLedger has placed these principles at its core and has developed a seven-step process that builds off of each other (hence the circle representation). This was based on the guidelines of the Norwegian Data Protection Authority.
The PharmaLedger project has also adopted self-sovereign identities (SSI), which gives patients full control over their digital identities. Patients will be empowered to manage what personal data is shared with others. Blockchain helps to make this possible while also offering data protection and privacy benefits.
PharmaLedger has produced favourable results in its platform while maintaining privacy and data protection. It has also shown the potential of blockchain for pharmaceutical supply chains and can serve as a guide for other blockchain-based solutions, not just in healthcare.
PharmaLedger Transitions to the PharmaLedger Association
The PharmaLedger Association (PLA) has been established as a not-for-profit Swiss organisation to continue the research done thus far. PLA will continue to implement its current and future projects by making sure they are compliant with various legislations from the beginning, as was initiated from the start of the PharmaLedger project.
PLA is now open to global new members and is expanding from the original EU focus of the project. Make sure to visit our newly created PLA website below to find out more and how you can collaborate within our Digital Trust Ecosystem (DTE).
When a blockchain network is designed with data protection by design and default that complies with GDPR, various GDPR objectives can be reached, such as data sovereignty, trust and accuracy of data, data integrity and security. When combined with other technologies, such as the use of self-sovereign identities (SSI) within PharmaLedger, patients can obtain better control over their personal data.
Halid added in our interview with him that PharmaLedger is trying to show how this technology has great potential only if it’s designed correctly:
“We are trying to show that blockchain has great potential in pharmaceutical supply chain use cases but also, more broadly, in healthcare. It’s possible to be GDPR-compliant, but in order to do this, we must design the technology from the very beginning by taking into account data protection-related obligations, the rights of the data subjects, and have a detailed and well-prepared governance model that addresses GDPR principles and other regulatory and legal requirements. This will catapult the blockchain to the market.”
The PharmaLedger project has been used as a case study in this publication to show how to apply blockchain technology within a GDPR-compliant framework. There are, however, actions needed on the EU side to better define and create clearer guidelines for innovative technologies.
We are excited to see how this will progress as our project shifts to the PharmaLedger Association, and we continue to work towards making blockchain-enabled solutions a reality in healthcare.
Visit our new website below to learn more about the newly established PharmaLedger Association and how you can help pave the way for innovation in healthcare by becoming a member.