Hema Lakkaraju is the CEO and Founder of HAYAG, whose mission is to advocate and deliver the value of "compliance strategy" to organizations. Hema has been in the life sciences industry for 10 years helping organizations with data, risk, product compliance. She has been working with different teams on data-driven risk and compliance strategy framework.
Privacy in the context of the life sciences is anything but simple. Faced with many different in-country regulatory systems, organizations are also struggling with growing complexity in regional and above country marketing strategies. How do you keep up to date on all of the new regulations popping up and yet not lose your competitive edge? Hema Lakaraju outlines the pragmatic approach to regulatory compliance, and it all starts with shifting your mindset.
KRISTINA PODNAR, HOST: Just as we have gotten used to the idea that the EU's General Data Protection Regulation (GDPR) is a fact of life and have made modifications in our data collection procedures, the Brazil General Data Protection Law (LGDP), the California Consumer Privacy Act (CCPA), and waves of proposed new data privacy laws are swirling in the calm preceding a privacy tsunami heading our way. For most of us, keeping on top of privacy regulations, not to mention the compliance requirements that exist in the life sciences or financial industries, can be overwhelming.
Hema Lakkaraju joins me today to discuss how we can move beyond the traditional silo approach to regulations and compliance and into an environment that proactively manages these challenges in a seamless way. Hema is CEO and Founder of HAYAG, whose mission is to advocate and deliver the value of "compliance strategy" to organizations. Hema has been in the life sciences industry for ten years, helping organizations with data, risk, product compliance. She has been working with different teams on data-driven risk and compliance strategy framework.
Hi, Hema. Thanks for taking the time to speak with me today. I appreciate it.
HEMA LAKKARAJU, GUEST: Hi, Kristina. It's always great talking with you.
HEMA: Yeah so before jumping into that question, let's go through what healthcare industry is going through right now, so there is has been a big transformation of the health industry since the last last 5 to 10 years, from a strategy that is traditionally a silo kind of systems in healthcare to a much more hybrid remote, medical help, telehealth systems, just to better serve the customers and during this process of digital transformation and health industry. There has been a lot of technology enhancements, a lot of integration with other systems, a lot of internet connection related thing Wi-Fi connectivity and so on and due to these evolving business models of medical health, telehealth to better serve the customers we have ended up collecting more and more data.
So, what does that mean right now in terms of privacy is when you compare to the last five years where the health industry has been only handling the patient health information. Now, it's being a hybrid model where we are handling personal identifiable information and personal health information in the same state, but yet the mindset is just to follow the HIPAA regulation.
So what that means in a realistic world in organization is we have to switch our mindset, look exactly what transformation our organization has been went through and what kind of transformation our product and services have been went through and what kind of evolution in terms of data collection and data monitoring that we have went through and to understand first what kind of data that we are handling right now and then creating a privacy model that fits in and coming to the hollow stick combines approach what we have been talking about this again. I'm going to the point of data transformation and technology transformation, and integration with all these different systems and modules gives the trigger of the evolving of cybersecurity the privacy on top of the FDA regulation or HIPAA regulation because the first part is to understand how the technology transformation went through and the second main part that the organization have to go through and think is that okay. There is no more silo regulation system now, it's all integrated same as the integration of technology and how holistic means looking as a whole overall. It's looking like a whole overall for the organization in terms of data looking the whole overall as terms of what products and services you are doing what kind of information you're handling and then looking at the appropriate applicable regulations and creating a combined strategy that really is applicable for your business.
KRISTINA: Great. I think that's really helpful. You know, one of the things that caught my attention as you were speaking was kind of this notion of not having sort of siloed compliance. And I know that for a lot of folks who are in healthcare, especially when they're interacting with health care providers and trying to market content to end-users a patient's themselves. They run into this kind of Catch-22 it where they're focusing on the FDA or HIPAA in the United States, and they're wondering by country how to segregate that and deal with that data.
What is your kind of tips, and what advice do you give people for dealing with that type of information where they are dealing with different regulatory systems and ensuring that we have that global compliance.
HEMA: We have to look at how even the regulations have been evolved. Right? So coming from the nest regulation, which is now becoming more of information-driven data-driven risk model where they're also saying about hey, you're not only looking the operational side of compliance, but you're also looking at the design side of the products and services range of compliance. If you look at the present regulation landscape that you have, most of the regulations are transforming into more and more data-driven. So, whether if you look at the GDP or CCPA and all those things, you have around 50% to 60% of the same compliance regulation repeated overall.
When you're looking for a strategy to approach of a compliance when you are looking to create a holistic, but lean strategy called model of compliance for your organization and it is very important to see first of all what regulations apply and what are the common set of controls along all these regulations that they have been emphasizing overall and on top of it if you can create a data classification based regulation strategy. What does it mean is if you're handling sensitive information, so first handle that sensitive information policies and procedures as a top priority and then look at the applicable regulations and see streamline what are the common set of controls they have been asking through and then try to implement those common set of controls first that are mandatory and then go to a subset of it.
The advantage of it is if you're using that kind of strategy approach, you're not only knocking of most of the regulations that are applicable for you. But also you're creating a strategy call approach where you have this common core set of compliance controls along this regulation along these regulations, and you're being combined in is very small set amount of time comparing to the traditional approach which we have been doing where you're going one regulation being hundred percent trying to be hundred percent compliant with it and then jumping to the next regulation got jumping to the next regulation, and this whole journey will take three to four years rather than to focusing sitting down saying, hey, what information I'm handling? What is my target market? What is my regional market? What are the regional regulations? What are the common set of controls, mandatory controls all these regulations are asking for and then try to implement that one as a top priority and then go to the later on. It's going to solve two major issues for any organization. One, they will have a clear clarity and resonance of what they organization stand for or what their product or services stand for or and the second thing is now they have a clear set of roadmap for compliance where they know that hey, this is my top priority core mandatory controls that are all in all these regulations and that will make me combined in a major set of way and then for the minor additional compliance things I will have a roadmap from face to your face.
We always go through in terms of compliance journey for the organizations as a silo systems again one regulation, then one regulation, then another regulation. But instead if you take this common set of controls and go, okay, this is my top priority for phase one. I'm knocking off all these common mandatory controls, and then I will look at what are the individual controls that go along these regulations. And then have a roadmap from it. You're actually saying a lot of time operations cost, time cost resources cost, and overall compliance for the organization.
KRISTINA: You actually didn't mention anything around the lines of whiplash because I know a lot of people tell me that they feel like they're getting whiplash from GDPR and now CCPA and all of the new regulations coming into effect, that sounds like a great approach. I'm curious, do you see it beneficial for organizations to adopt a superset of commonalities? I know you mentioned, you know to take a look at what controls need to be in place for GDPR, for CCPA and don't go down the individual silos, look across those and worry about the 50 to 60 percent that they have in common but does it make sense then for organizations to say, look GDPR is the superset of regulations when it comes to GDPR, POPIA in Brazil, CCPA is a superset when it comes to the United States. For example, Nevada requirements, Maine requirements, can we take those two things and kind of merge them and say those are the two big sort of trends in privacy and be compliant with those two regulations and then meet some of the other emerging ones or how do you see that working?
HEMA: I think it's so far it's really working great, as you said, right. So okay, GDPR is an overall approach of the whole EU, right and what it's done. It's an overall umbrella that takes care of the major concerns of EU region CCPA, and POPIA and all those things again have the same similar 60% of the same controls that you're asking. So, if you can take those major search of umbrella related regulations and then take care of those mandatory controls comparing with those appropriate state or country related regulations, what are very commonality between them and take it as a first phase one approach for your compliance roadmap? I think that is going to save a lot of time and the beauty of it is if you take whether its GDPR or CCPA or POPIA, if you look at the original drafts or the guidance of it at the end you have something called as a comparison metric and those comparison metrics is what most of the people don't focus on. I think it's the right time right now, especially for bigger organizations are an evolving businesses where they want to expand to the market is to look at those comparison metrics at the end of each regulation and see hey, but you know this these two or three major regulations talk about the same thing and have 60% of the common controls and these sixty percent of the common controls are highly mandatory.
Have that one as the preliminary model and then evolved with the local or state ones. Instead, look at the regulations that are majorly covering most of the landscape. For example, GDPR, or for example, CCPA. They are actually covering the whole major set of geographical locations and major consoles at the higher end of the law and then going to the local regulations later on.
KRISTINA: We're talking about healthcare, and you and I have been talking a lot about healthcare lately. It's certainly an area to watch. But do you see this approach to compliance working for other industries as well? Beyond healthcare. Or do you think that this is beneficial only in healthcare because of some particular reason?
HEMA: So, the first point is it a universal strategy called approach that will definitely give ROI or return of investment of time and resources overall for the business, coming to the healthcare, the transformation is going through right now. The digital transformation is going through the mobile health, telehealth, the integrated model where the pharma companies are partnership being with the app side of it, the database side of it, the phone ware side of it, and creating this what we call as a package solution where the pharma pill is connected to a phone ware or a patch and then you have an app to monitor, how is it going and so on. If this integration model kind of business is more and more evolving and the digital apps have been more and more an acceptance by the patients, then definitely it's again a holistic strategy for model that definitely should be taken care of because right now if you look at the landscape of healthcare and even for the life sciences industry overall, you have the FDA regulations, you have cybersecurity issues just evolving as a different silo system, and then you have the privacy like HIPAA and so on which again lives in a silo system. So, if you are a compliance leader or a privacy leader or a security leader in a life sciences industry, it's better to sit back, look and compare all this. Does it have all these parameters even to see whether I'm eligible or disagree regulations are applicable for me?
That is, the main key area where people don't really follow is that they go and look for cybersecurity laws. They go and try to implement it in a 2-year amount of here. Then they already have FDA rules and the part that is a side of the system in a different group in an organization. Then you have the privacy and paralegal department, and that is parallel is a silo, not without communicating with the FDA regulatory group and cybersecurity group have its own roadmap. Where is it all going, and when it comes to the budgeting or implementation side? You have 100 or 200 procedures, and 10 or 15 different policies that are not interlinked with each other. That again and again 50% talking about the same things in terms of controls and vision for compliance, and then you spend all this amount of time and resources trying to implement it so rather use it as a team effort in terms of compliance. Bring your FDA regulatory group, bring your cybersecurity game, bring your privacy group, all together in one room sit and say, hey, as an organization, this is what our product stands for. This is what our services stand for. This is what the information that we are handling now, and this is what my target market is.
So I want you all groups to sit together. Think about it. Think about what are the common regulations? What are the common controls of all these regulations that make sense and create a strategy compliance lean map that we can get our that we can get achievable in a short amount of time? That a person we don't see in any organization and that is what needs to be done for a much more effective and high-performance organization in terms of compliance
KRISTINA: And that seems like a really great goal. But you know, how do you see those individuals, especially in a large enterprise coming together who should really be the individual or is there an individual that should from your perspective take the realm and say, hey, you know, I'm going to get all of these folks together. We're going to talk about privacy. I usually talk about that person as a digital policy steward, but in your experience, does it matter where that steward or that instigator sits in the organization? Do they have to be in privacy or in compliance or where is it best that they are positioned so that they can bring together everybody including procurement, budgeting, legal, compliance, IT, marketing, privacy and the slew of other folks you need at the table that you talked about?
HEMA: If you see at the present landscape, for most of the organizations in terms of executive leadership, we always see a CISO. Or we always see a CRO, or we always see a CIO, right? So I think the more fitting is from the executive leadership where we can define somebody as a chief compliance officer, the compliance means it's always being sometimes misinterpreted as only taking care of regulatory, right the compliance or generally by definition means you have to be in compliance, in alignment with your existing policies and procedures and with the upcoming regulations that are applicable for you. So a chief compliance officer, if you have in an organization, is a starting point where his or her role is to bring in all these crucial sub branches together and try to create a strategy because what happens right now in an organization we always talk about marketing strategy. We always talk about business strategy. We never talk about the compliance strategy. And this is the time where it's extremely important that you come up with a strategy in terms of compliance. Otherwise, with the more and more regulations coming and if you just go with the traditional approach of silo implementation and not having the transparency between privacy and cyber security and regulatory departments. It is going to be an elaborate two years and years effort and our entire group.
KRISTINA: That doesn't sound highly productive at all. So I think it's interesting when you talk about bringing all these people together and thinking about not necessarily crushing silos, but maybe kind of getting the silos to work together and to coordinate what they're doing in a holistic way so that it's working towards the same common goal, that sounds like a really good approach and what I'm wondering is does that approach trickle all the way down to things like the individual data level perspective, like, you know, where does data governance sit in that paradigm? Can you talk a little bit about that and sort of your experience about how does data governance fit into that model of having an everybody kind of come together and work together? So, we're not making our individual efforts down a specific silo.
HEMA: It's a very crucial point, right? So, we always look at, okay, I'm a medical device company, so I have to look at the FDA regulations. I am a digital health app company. I will look at just the health-related regulations. But instead what is above all these regulations is if you only look at from a technology point of view or a process point of view, it's not going to solve the problem on a landscape, but rather if you look from a data perspective, it's going to solve in a shorter time, meaning when, for example, if you bring in all these people together, you have first to understand that technology might change and technologies always evolving, and if you create a model or a governance model that based on the technology, it is again going to take a tedious infinite loop of revisions. Rather, if you say, hey, as an organization, I have public data, have sensitive data. I have, you know, patient information or personal identifiable information and then create what we called as a data-tier system that tier system is something that you're saying, hey, my primary effort in terms of data governance is: do the data classification. Look at what kind of information I'm handling. And yes, if I'm handing any sensitive information or personal information or confidential information, that would be my top one priority, and I'm going to create the governance with the maximum appropriate security and privacy controls on that one. And I'm going to measure my success for the first one year, or the first few quarters in terms of governing IT risk managing it, and complying with the appropriate information, the advantage around that point is no matter how many systems you bring in, later in the organization. No matter how many technologies that get evolved over the years. The only thing that is not changing is the data, and the data is the preliminary basic such and smarter strategy in terms of creating governance through that lens rather than through the system or asset management related silos.
So it's going to solve two problems in an overall, in one you have a clear set of the idea and clear way of communicating down trickling to the down the line,where no matter you have a hundred systems of 200 system. You have a clear set of idea that, yeah, so when any of these systems or any of my products are handmade sensor information, then you these governance such of rules will be applicable and what happens with that is the performance, the clarity, the vision of the company is being communicated through all the layers, and it's going to increase your performance is going to increase your vision and compliance with the regulations at the same time, and it's going to make a best business case against your competitors saying that we understand but here is what we really care about our customer information. We really care about the personal information even though whether it's the customer information or my employee information, and we have created a governance program that is based on the information that we handle rather than the evolving technology. And that is I think a system that will work no matter how the technology advance.
KRISTINA: That sounds great. So, you know, I'm sold. I'm sure that a lot of listeners are also sold. I'm curious, as we're kind of thinking about, okay, this sounds great. That's what we want to achieve. It's something to kind of work on and work towards but for anyone who's listening today that wants to change the trajectory for data privacy, whether they're in healthcare, although certainly, healthcare is such an evolving area and area of opportunity or in other any other industry, what are the two things you want them to do differently after they stop listening to this podcast?
HEMA: I think first is the mindset. We have to change our mindset from and traditional Silo model system to a much more data-driven model. And then second is the teamwork. We have always been, or how the organization has been structured previously, whether the privacy and cybersecurity or regulations. Those group are always separated from each other and it's been maybe because of the experiences that they had. It's not a competition between the groups rather is like a weaving thread you have to work together, and you have a common Vision, but there is privacy cybersecurity or regulation with you have one common vision, and one common vision is to be combined with the applicable regulations and to make the best business case for the customers, to make, to say that why your product or service is much safer than the other competitors. So it's no longer a competition between the group's it's actually a complementary skills between the groups, and if you work together and complement each of your skill sets, you will become a stronger and major group with a great contribution.
KRISTINA: I love the fact that the two things that you're giving us as takeaways are to change the mindset and to have more teamwork. To increase teamwork, together, because I think those are two things that anybody can do regardless of where they sit in the organization, whatever level they are.
And with as little or as much support from the executive tier as they might have. And so, even if you don't feel like you can do a lot right away, you can always change your mindset, and you can certainly work closely with your colleagues and have more teamwork. So those are great chunks of advice. I really appreciate your insights Hema, and I look forward to hearing more about you as time goes on and your work in the compliance and privacy arena. Thank you.