The General Data Protection Regulation (GDPR), Europe’s new framework for data protection laws, is set to go into effect in one month, and the new regulation has far-reaching implications for organizations worldwide that collect personal information about European Union residents. In the U.S., physicians and healthcare providers will be facing new laws regarding the safeguarding of Personally Identifiable Information (PII) for EU patients.
GDPR was adopted in April 2016 and will be fully enforced on May 25, 2018 by the UK Information Commissioner’s Office (ICO). GDPR is designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. According to many experts, the regulatory framework pertains to any organization that handles EU data, whether that organization is in the EU or not. The entire regulation can be accessed here, the EU GDPR website's frequently asked questions page can be found here and a breakdown of key changes can be found here.
Moving forward, U.S. healthcare organizations will need to safeguard EU patients’ data based on the GDPR in addition to the Health Insurance Portability and Accountability Act (HIPAA) regulation and other U.S. regulations. The GDPR will affect when and how a healthcare provider must report breaches, and fundamentally changes how personal and sensitive data can be used, processed, managed, stored, deleted and disclosed.
According to the website of the Spiceworks virtual IT community, in a nutshell, “the regulations affect how companies must handle personal user data commonly tracked online. This includes IP addresses, geographic locations, names, home or work addresses, gender, and a wide range of more sensitive information such as health status, political affiliation, religion, and ethnicity, among other things.”
What’s more, the GDPR imposes stiff fines on data controllers and processors for non-compliance, up to 4 percent of the organization’s global annual revenue or 20 million euros, whichever is higher. According to the EU GDPR website, this is the maximum fine that can be imposed for the most serious infringements, such as not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines—a company can be fined 2 percent of global annual revenue for not having their records in order, not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors—meaning “cloud” will not be exempt from GDPR enforcement, according to the EU GDPR website.
According to the Spiceworks virtual IT community, the following are some, but not all, of the provisions organizations collecting or processing any personal data on EU residents must comply with if they want to avoid the risk of incurring potentially large financial penalties:
Privacy by design — Organizations that collect personal data on EU residents can only store and process data when it's absolutely necessary. Additionally, they need to limit access to this personal data on a “need to know” basis.
Consent — Under GDPR, individuals must explicitly opt in to allowing organizations to collect personal data by default. Additionally, an individual's consent can be removed at any time.
Right to access — Organizations must provide an individual residing in the EU with access to the personal data gathered about them upon request.
Breach notification — Under the regulation, in the event of a data breach, organizations must provide notification to affected parties within 72 hours.
Right to erasure — Sometimes called the right to be forgotten, organizations must honor requests to erase personal user data when asked to do so.
Data portability — Organizations must provide a way for individuals to transmit or move data collected on them from one data collector or data processor to another.
Data protection officers —Organizations that process large sums of GDPR data must assign a data protection officer (DPO).
John Barchie, a security consultant and senior fellow at Phoenix-based Arrakis Consulting, recently spoke with Healthcare Informatics’ associate editor Heather Landi to drill down further into the implications of the GDPR regulation for U.S. healthcare organizations and what steps organizations should be taking now to be compliant with GDPR. Below are excerpts of that interview, edited for length.
What are some of the key requirements of GDPR, and what do healthcare organization leaders need to know about the regulatory framework?
This is a disruptive regulation and it will require organizations to get their legal departments involved. Once it’s understood, it’s fairly straightforward. Healthcare organizations should already be fairly compliant with what GDPR is asking for. If an organization is strongly HIPAA compliant, then it will be much easier for them to absorb GDPR; if they have been going off HIPAA for a while, then GDPR is going to come as a shock.