GDPR – A time to worry, or a time for opportunity?

So you’re a Brand Manager or Creative Director and in the middle of a meeting someone has mentioned ‘GDPR Compliance’. You may know by now that it’s nothing to do with Gross Domestic Product, but is the General Data Protection Regulation something you should be seriously concerned about?

A lot of people might say that “it’s an IT issue” and move on, however the reality is that while the IT guys may have had worried looks on their faces for a while, the GDPR is far more business focussed than the previous Data Protection Act. Which itself was often misunderstood as being primarily IT focussed.

Process, documentation and no silver bullets

In reality, most of the GDPR is centred on processes and documentation. There is no magic IT silver bullet which will make a company compliant. The GDPR comes into force in May 2018 so there is now only a short window of time in which to prepare.

There is currently a significant amount of confusion and scaremongering surrounding GDPR, with consultancy firms bandying around statements such as “non-compliance can result in a fine of either €20 million or 4% of turnover, whichever is higher”. Even a large agency would likely suffer significant financial problems following from a €20 million fine, while 4% of turnover is enough to make any CEO sit up and take notice. However, the UK’s supervisory authority, the Information Commissioner’s Office, has declared that it does not intend to use the maximum extent of its powers and initially is aiming to guide rather than coerce.

The same consultancy firms who are spreading the word around the scale of fines will, coincidentally, happily send a team in to produce a large quantity of paperwork to assist you in your compliance processes. In fact, many large corporates will have had teams in place for some time, looking at processes and creating documentation to try and ensure compliance with the GDPR.

Is there any guarantee of compliance?

The one thing that seems to be overlooked is that at this point there is no way to guarantee compliance. There’s no certificate, no audit process and no guarantee that what is in place is compliant. Further, from my discussions with former colleagues and customers, many of the current projects are being run as a head-office central IT team operation and the interaction with the wider business is slim to non-existent.

A lot of the guidance from the ICO is still in a state of flux as the ‘Article 29 Working Party’ continues to elaborate on the meaning behind much of the core legislation and how it applies in the real world. There are also, naturally, no existing cases of firms which have failed to comply – since the GDPR does not come into force until May 2018.

However, this doesn’t mean that if things go wrong, fingers won’t be pointed. So, what can you do and what should you know to be informed?

  1. There’s no need to panic. As mentioned, the ICO has suggested that the highest fines are unlikely to be levied and any initial non-compliance is more likely to result in advice than prosecution.
  2. Check what corporate programme is already in place. Everything may already be in hand. If you are reading this, however, that implies there has not yet been any (or sufficient) awareness training. In which case it would be worth asking what is being done and ensuring your enquiry has been recorded – for your own peace of mind if nothing else.
  3. Consider the information you hold in your team or department. The new GDPR definition of ‘personal data’ is somewhat broader than the previous one. If any questions remain then it is worth obtaining some advice. For example there has been discussion in infosec circles around how in Germany, IP addresses are being considered as personal data. The guidance given so far around the definition of personal data means that while the obvious examples (names and addresses) fall inside, so would something such as a list of job titles and salaries. Since there is generally only one CEO or Head of Department it is possible to identify the person via ‘association’ or ‘aggregation’. If you hold the personal data then it’s worth examining whether you really need it. If you do, then consider how to protect it as the GDPR places a requirement on the data controller to ensure “the existence of appropriate safeguards, which may include encryption or pseudonymization” (Article 6(4)(e)).
  4. Examine your current projects. Then attempt to determine whether they will be affected by the GDPR. This is especially important if you have any responsibility for marketing. For example, there is a window of opportunity between now and May to get your contacts database in order without running into the new GDPR ‘consent’ legislative issues. It will be harder to obtain consent for distributing marketing materials after May under the full compliance regime. Taking the time now to clean your mailing lists and contact people regarding their approval to receive communications will pay dividends in the second half of the year when you will able to continue your marketing campaigns unimpeded by compliance issues.
  5. Review your interfaces to other projects, programmes and departments. If you are capturing, transferring or receiving data then you may need to check how it is being used elsewhere. Protection of data is far tougher now so if you have captured the details of a HCP in order to invite them to a specific event, you can’t then pass that on to the central marketing team for sending out any other type of marketing. Equally, if you are receiving data from somewhere else in the company you should be certain that you can use it for the purpose you intend – a mass email to people who only gave their details for use in a clinical trial has more serious consequences now than in the past.
  6. Use the GDPR as an opportunity. It’s a chance to obtain funding from on high to clean your contact database, to renew your leads and prospects and to put in place a much more streamlined approach to integrating CRM, CLM and Event Management. Gathering consent compliant with GDPR is not a challenge for modern systems and done in the right way, such as from within your DSA during a call, does not have to be intrusive. Nor does the greater granularity of consent need to be a problem; being able to identify those HCPs who are keen to attend events compared with those who would prefer only minimal contact can help you to segment and focus your efforts in the most beneficial way. Building your DSAs to make maximum use of the power available will enable you to collect the necessary consents and data to not only comply but also to improve your marketing campaigns.

If you feel you would benefit from a more formal session on the potential impact of GDPR, why not take a look at our review of IT Governance’s GDPR accreditation? We’ll be providing further resources on the impact of GDPR, alongside the latest from Veeva and CLM development so sign up for our newsletter to make sure you don’t miss our updates.

An introduction to Agnitio

What is Agnitio?

Agnitio is a digital software solutions provider, specialising in multichannel marketing tools for pharma and life sciences. Its primary products are Rainmaker and Sharedoc.

What is Rainmaker CLM?

Rainmaker is the primary multi-channel closed loop marketing (CLM) product offered by Agnitio, which integrates with Sharedoc to provide an end-to-end solution for digital content delivery to healthcare professionals (HCPs).

What is Sharedoc?

Sharedoc is a cross-platform solution available for both Apple and Microsoft devices (laptop and tablet). It enables the delivery of content to HCPs and patients in HTML5 format, as well as PDF, PowerPoint and Word.  It integrates with Rainmaker to provide a seamless mechanism for providing leave-behinds and patient information directly from the same shared content source as the brand marketing assets.

Why use the two in conjunction?

Using Rainmaker and Sharedoc together allows HCPs access to a wide variety of consistently branded and approved content; while allowing the brand team to follow trends and improve their messaging.

Pharmaceutical representatives can increase their reach and power by using the Rainmaker software to provide tailored engagement for their presentation via a range of different channels and using far more engaging and interactive content than the static slide approach previously deployed. Fully integrated webinars and compliant email allow for a mass-spectrum delivery; hitting multiple targets with a single effort.

Who would use Agnitio?

Both local pharmaceutical representatives and HCPs can directly access content in Rainmaker since it provides an integrated experience for representatives to provide face-to-face or remote detailing together with self-guided, on-demand detailing directly by HCPs.

Delivering for Agnitio

The primary mechanism for content delivery in Rainmaker is HTML5 containers. It is also possible to use PDF or PPTX files, however, doing so limits the flexibility and does not provide an interactive or engaging experience for the ultimate end user.

By choosing carefully a single HTML5 file can be reused in multiple presentations. Planning a sensible architectural approach in advance enables the same content to be deployed across multiple devices (laptop, tablet, Apple, Microsoft) and platforms (edetailing, remote Detailing, webinar, compliant email).

Rainmaker uses ‘slides’ which then fit with ‘modules’ to form a presentation. As with other Digital Sales Aid platforms, developers are able to automate aspects of the build process in order to programmatically share content between slides and ensure a consistent set of messaging and branding.

While Rainmaker does include localisation tools to translate and adapt global content for regional markets, in our experience it is usually better – budget permitting – to create custom content for each region which can be more carefully targeted and designed to suit specific local needs.


The Agnitio platform is not free and if you have already rolled out existing sales aids on Veeva or are using Salesforce as your CRM then while the integration with Agnitio is useful, it can create the inefficiency of running two platforms side by side. Using a single consistent platform for all your materials, deliverables and analysis is, of course, more effective and can prevent mismatched data.


Once the first few interactions with HCPs have occurred the real benefits can start to be felt as Agnitio provides a full set of analysis and tracking tools which can be drawn together in the dashboard. These provide brand teams with deep insights into how their brand’s key communicators and accounts are performing.

It’s possible to integrate Rainmaker with existing CRM systems such as Microsoft Dynamics or Salesforce as well as pharma-specific platforms such as Veeva.

Using Agnitio can provide a number of benefits dependent upon the actual business case that underpins the drive to migrate content and activities into the platform. The wide range of different tools on offer is such that using Agnitio may improve everything from the strategic direction of marketing materials through to representative performance and even potentially managing PASS studies via the ShareDoc mechanisms. This allows HCPs to pull down content and share it with their patients, all while being tracked and analysed.

If you’re new to Agnitio or feel you’re not getting the most out of the platform, get in touch with us to see how we could help with your Agnitio projects.

Getting ahead of the game with the GDPR

With the deadline for the General Data Protection Regulation (GDPR) looming, Peter Boyall, Head of Operations at twentyeightb, decided to take the plunge and sign up for an online training course from IT Governance, here is his review.


There is still a degree of uncertainty around what ‘GDPR compliance’ actually means, but it is fast becoming too late to wait for the Article 29 working party to rule or for a course to be officially certified by the EU data protection board or the UK information commissioner’s office.

Having looked around and found that my preferred British Computer Society provider had no current course available, I looked to the IT Governance company which offered a depth of courses and a specialism in information security. This gave me the confidence that their course would cover the key points. In addition, they offered an exam which was certified externally by GASQ, providing some assurance that the exam itself was not simply a box-ticking exercise.

The course I selected was the certified foundation, intended to provide a background and grounding but not to push the envelope. With a background in data security already, I felt that a ‘GDPR top-up’ was sufficient.

The course

  • The information was reasonably paced, with a set of notes to go along with it that helped immensely. I was able to make a precis in advance then listen to the video and fill in gaps rather than try to type notes while listening.
  • It seemed to cover the main points and included self-tests as well as an FAQ.
  • Lawyers being needed was referred back to several times – avoiding the trap of it being purely IT-focused.
  • It was also made clear that there are no official certifications issued at that point.

Areas for improvement

  • There was just the one presenter so limited points of view and I did have to take a few breaks.
  • The subject matter has understandably dated very quickly with interpretation of GDPR legislation changing all the time.
  • Some cyber security practitioners take a dim view of the implication that the IT Governance qualification is in some way officially approved by the government. It is made clear in the course itself that no official qualifications yet exist, but it is important to stress that there is no intention to pass off the certificate as the answer to everything.
  • Accompanying book is very out of date and doesn’t tie in particularly well.

The exam

Ouch! The instructions were somewhat contradictory – one set said to use Firefox, another to use a secure browser app. To run the app you have to turn off all but one screen. Once you start the ‘secure browser’ it takes over the screen so you can’t read the PDF of instructions (or get your username/PIN code). You have to fumble your way to the exam and the ‘face detected’ icon kept flickering (albeit that may have been down to my laptop).

The actual questions in the exam were very different to the self-tests, although I saw this as being a good thing as it meant the exam wasn’t too easy. There was quite a lot of brainwork involved and it definitely wasn’t just a case of answering questions by rote in the manner of, say, PRINCE2 Foundation exams.

In conclusion

All in all, I’d say that in order to get your hands on the certificate you do need to have a pretty good grasp of the GDPR, as the only way to pass the exam is to both know and understand the material in order to be able to extrapolate answers to the questions.

There is a lot of fear, uncertainty and doubt at present surrounding ‘GDPR compliance’. It’s easy to be fooled into thinking it is just an ‘IT exercise’, that it is necessary to pay large amounts of money to a management consultancy or that an impressive collection of paper certificates are required to ‘demonstrate compliance’. In reality it is quite possible that companies are already compliant and a quick confirmation check is all that is needed. The above course has given me the confidence that we don’t need to spend tens of thousands of pounds on external consultancy or tools in order to discharge our duties regarding the data we handle. Gaining peace of mind that you have adequate data protection policies in place is in some respects the ideal scenario when enrolling for a qualification. While you won’t be able to just tick a box and say “we’re compliant now”, you will be far clearer on any steps you may need to take to stay ahead of the forthcoming legislation.

Moving to Veeva: What are your options?

You’ve been told your pharma field force (or your client’s sales force if you’re an agency) is moving over to Veeva CLM and the next eDetails aid you produce has to be built in Veeva. So, what are your options?

PowerPoint to Veeva

Veeva recently introduced support for Microsoft’s flagship slide presentation program, PowerPoint. If your field force currently uses PowerPoint to present to customers, you can simply upload your .ppt file to Veeva Vault and distribute it to your field team. Users simply open the file via Veeva iRep and, as long as they have MS PowerPoint installed on their iPad, away they go.

Upside: Simple, quick, and because it can be done without specialist help, if you already have the .ppt file it’s pretty much free.

Downside: Clumsy (opens the MS PowerPoint app), very limited analytics (only that the presentation was opened), not optimised for iPad and not fully integrated with Veeva CRM, so users cannot utilise other multichannel activity, such as Approved Email.

We recommend this option when your current sales materials are in .ppt format and:

  • there is limited or no available budget;
  • it’s for a small specialist sales team;
  • the detail aid is a one-off or only to be used for a short time period;
  • or there is no requirement for analytics or business insights.

PDF & flat image to Veeva

Veeva CLM presentations support the use of PDFs and image files as simple non-interactive slides that can be put together to create a very basic digital sales aid.

Upside: Simple, quick and requires very limited specialist help – if you already have the content then the cost is low.

Downside: Limited analytics (only which slides are seen), flat content, no interactive elements, limited navigation options and not optimised for iPad.

We recommend this option when your current sales materials are in PDF or flat image format and:

  • there is limited or no available budget;
  • it’s for a small specialist sales team;
  • the detail aid is a one-off or only to be used for a short time period;
  • or there is no requirement for analytics or business insights.

Content adaptation – CLM to CLM

If you already have an HTML5-based eDetails aid, either as a standalone web app or in-built for another framework, such as Agnitio, MI Touch (Nexxus) or Vablet, then it can be dropped into a single Veeva “slide”. This is sometimes called a “Veeva Deep” CLM solution.

You’re likely to need the help of a Veeva approved developer as there will be functionality that needs adapting between frameworks, but as long as the original code has been well put together, their involvement should be relatively light.

Be warned, however; if the source code has been poorly written then your specialist developers may well recommend starting from scratch, as the cost to adapt poor code often spirals out of control.

Upside: Low friction transition for the field force, existing presentation assets reduce the time impact of design approval, so can be relatively quick and may only require moderate intervention from your specialist developer.

Downside: Limited analytics (Veeva will only show one slide has been opened), potential for very large file sizes leading to slow upload and sync times, navigation, transitions and overall performance may be poor when compared to a presentation built specifically for Veeva.

We recommend this option when you really like your current detail aid and what you really want is as little disruption to your field force as possible. Whilst it’s not really a long-term solution, it’s an excellent way to limit friction during your transition to Veeva CRM.

Bespoke Veeva development

A Veeva accredited developer can work with you and your creative agency to plan, design and build a bespoke Veeva CLM that will help you and your field team realise the potential this platform has for positively impacting your brand’s performance.

A bespoke Veeva CLM solution allows you to take full advantage of Veeva’s Closed Loop Marketing functionality. It can provide real-time feedback to the rep to improve their territory management, customer segmentation activity and in-call selling success.

With well designed content, a Veeva CLM presentation can also provide you with business-critical market insights and track the progress of your KPIs. For more information about the insights you can achieve with Veeva, please refer to our guide on Veeva CRM MyInsights.

With the right approach and the right experts on hand to support you, producing a Veeva-wide CLM does not need to be expensive. Although this approach will likely require the most development time, if coded well, a Veeva-wide CLM will deliver significant ROI over time as future updates, adaptations and even localisation will be easier, quicker and considerably less expensive to undertake.

Upside: This is how Veeva is meant to be used.

Downside: To do it well you need time, planning and budget.

We would recommend pharma brand teams and their marketing agencies take this option whenever possible.

Next steps

To learn more about Veeva CLM solutions, please get in touch with our Veeva Level 4 certified digital development team on +44 (0) 1480 877 321 or drop us a line via our contact form to discuss how 28b can help you maximise the potential of Veeva for your brand.