IN CONVERSATION WITH

Ms. Nahid Hossain, Director – Legal, Compliance and Quality, Novo Nordisk Pharma (Private) Limited.

 — Interview by Barrister S M Mushfiqur Rahman _____________________________________________________________________________________

Ms. Nahid Hossain has established a strong presence within Bangladesh’s corporate legal sector. As a leading multinational pharmaceutical company, Novo Nordisk Pharma Private Limited (NNPPL) places strong emphasis on data protection. In this interview, Ms. Hossain highlights the company’s key data protection practices while reflecting on her leadership journey and vision for the future.

 Questions:

1. Health related personal data is amongst the most sensitive categories. How do you currently manage personal data in your company, and how do you evaluate the new Personal Data Protection Ordinance 2025 (PDPO) in terms of readiness for implantation by the MNCs at large?

For pharma MNCs data, specifically health-related personal is both a vital asset and a high-risk resource for pharmaceutical companies. This data enable us ensure clinical excellence, regulatory compliance, and of course further research and development. However, managing this data – either collecting, anonymizing, pseudonymizing or processing demands rigorous legal, technical, and organizational safeguards to meet heightened standards as set by the European data protection rules and the local rules to protect patient rights.

At Novo Nordisk Bangladesh affiliate, only necessary data is collected, that too with informed consent, transparency on purpose and retention with the provision to opt out at any time. Access is restricted on a need-to-know basis, storage uses strong technical controls, and data is only retained only as long as necessary. Operationally, we implement role-based access, encryption at rest and in transit, routine audits, and periodic staff training on confidentiality and secure handling. Where possible, data minimization and pseudonymization are used for analytics and reporting so identifiable information is not exposed unnecessarily. We also have data protection officer appointed for the Bangladesh affiliate and globally pharmaceutical companies typically have mature privacy programs to ensure standardized data protection all over the world.   

2. What are the main risks a Healthcare company, including a Pharmaceutical company generally faces in data protection given Bangladesh’s cybersecurity landscape?

Generally, any organization dealing specifically with health-care data needs to be appreciated the sensitivity of such data since this raises both privacy and regulatory exposure and also ethically.  Improper handling or unauthorized disclosure may lead to repercussions. Some operational risks include gaps in consent management, inadequate retention controls, incomplete records of processing activities, and weak access governance that enable excessive internal access. Cross-border data transfers are another risk area: lacking adequate safeguards or documentation for international transfers could contravene data protection requirements; and ofcourse third-party risks always exist. 

3. How does the legal department contribute in the company’s operation in ensuring personal data protection and privacy?

The legal department in any company plays a multifaceted role. We ask questions and challenge back to ensure that the operation teams are fully prepared when (if-ever) push comes to shove. We make high impact decisions often in a very little time and often with imperfect information to ensure that business moves at full speed. Specifically with regards to data protection and privacy, the legal department translates the rules and regulations into actionable policies, update privacy policies, consent templates, data processing agreements, and vendor contracts to reflect explicit informed-consent requirements, retention limits, and cross-border transfer safeguards as required; and manage risks. We also review and advise on lawful bases for processing data and help delineate where explicit consent is required versus where statutory or public interest exceptions may apply. We also have dedicated data protection officers that review processing inventories and privacy impact assessments.

4. What emerging data protection and privacy trends do you think Bangladesh should face and prepare for in the next 5 years?

We have been hearing that “data is the new currency” for almost 10 years now. And the trends around the data landscape has been exciting. First and foremost, there must be a general public awareness in Bangladesh that data is property. This will ensure that the demand for control, portability, and transparency is taken seriously and duly prioritized. However, in my opinion at this age and time of globalization, Bangladesh needs to prepare for increased scrutiny of cross-border data flows and localization debates. This is due to the growth of digital trade, the rules around international data transfers with regards to adequacy, safeguards, and reciprocity will become focal. Bangladesh will need framework for lawful transfers to ensure zero compromise in data protection. We would also need a strong regulator for data protection for proper rules and enforcement to ensure compliance. 

QUOTE:

There must be broader public awareness that data is property so that demands for control, transparency, and accountability are taken seriously”