Information about our company, products and people is one of our most valuable assets. We are committed to ethical use, management and protection of information.
We strive to be good data stewards to balance our data needs with our responsibilities to the people and communities we serve
Our commitment applies not only to our company’s information, but also to the information entrusted to us by others. Our tools, processes and procedures ensure that we appropriately use and safeguard information throughout its life cycle to ensure integrity of information and to prevent unauthorized access and disclosure. We have developed and continue to improve upon a comprehensive, global, state of the art information security and cyber resiliency program to enable our company to fulfill its mission: inventing for life.
There is increased pressure for companies to adopt the EU General Data Protection Regulation Compliance (GDPR) as the basis for their own privacy laws and regulations. Our company is well positioned in that we have based our global program on the GDPR.
In addition, there is increased regulatory scrutiny and interest in companies that seek to collect and monetize personal information without full transparency and permission from data subjects. Regulators will continue to tighten up requirements in these areas and levy large fines. Again, we are well positioned for these changes due to the deployment of a comprehensive closed-loop privacy program and our active engagement with regulators around the world.
The Global Privacy Office reports into the company’s Chief Ethics & Compliance Officer who reports directly to our Chief Executive Officer. Oversight of the Privacy Program is conducted within the Privacy and Data Protection Board (PDPB). This is a cross functional Board that connects to the Corporate Compliance Committee. The PDPB meets quarterly.
Programs and initiatives
Global privacy program
Over the past 19 years, we have developed and continually improved a comprehensive global privacy program that promotes organizational accountability for privacy, data governance and data protection across our business and with our collaborative partners and suppliers.
We were the first company in the world to obtain regulatory approval in the European Union (EU) for Binding Corporate Rules (BCRs) based in part on our existing Asia Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPRs) certified program.
This achievement demonstrates that organizations can rely on common internal standards and processes to govern international data transfers across both the EU and APEC regions to simplify their ability to address the growing regulatory challenges in this area.
Our holistic approach to privacy has its origins in biomedical research ethics and the protection of participants in the research studies that we sponsor and conduct. We have adapted human subject research ethics standards for risk-benefit analysis, transparency, anonymization, coding and prior review to other activities and processes involving data about people.
We have established a set of privacy values to guide all of our privacy, data stewardship and data protection decisions. These core tenets serve as the foundational ethical framework for our comprehensive global privacy program and our compliance with the continually evolving legal and regulatory standards for privacy and data protection.
Our company employs a data classification scheme that ensures that reasonable and appropriate security controls are applied to all company IT (information technology) assets, including customer data. We use a four-level data classification scheme and have deployed security controls that match the data sensitivity:
- Covington & Burling LLP
- French Supervisory Authority (“CNIL”)
- Information Accountability Foundation
|Global privacy program||2015||2016||2017||2018||2019|
|Number of countries in which we conduct privacy compliance verification and risk assessment||137||137||137||137||137|
|Number of concerns regarding privacy practices, breaches of privacy and losses of personal data that were substantiated1||143||227||123||315||29|
|Number of privacy breaches requiring notification by Merck & Co., Inc., Kenilworth, N.J., U.S.A., to individuals or government authorities||0||1||0||2||2|
|1Privacy concerns include all concerns about our privacy practices escalated to our company’s Privacy Office. Concerns are evaluated to determine if they are a potential privacy incident or not. Those that are a potential privacy incident are investigated against our own privacy policies. In 2015, because of the scope of lost or stolen devices known to be encrypted, we ceased inclusion of lost or stolen MSD devices in our incident metrics. Reporting in 2017 was impacted by the Not-Petya cyber-incident. Increase in substantiated concerns in 2018 due to changes in reporting practices stemming from new requirements in the EU (GDPR). In 2019, because of a change in our incident reporting methodology, we removed non-privacy quality issues, and this is the reason for the decrease between 2018 and 2019.|
Throughout 2019, we continued the build out of our global privacy program which is based on the requirements stemming from the General Data Protection Regulation (GDPR) in the EU. While these requirements serve as our base set of requirements globally, our privacy framework allows us to adopt local requirements that may apply in certain jurisdictions.
In addition, as part of our GDPR deployment effort, we refreshed our Binding Corporate Rules (BCR) certification with our new lead regulator in the EU, the French CNIL.