by Antimo Fiorillo, Founder & CEO at Intellegant
The EU’s General Data Protection Regulation (GDPR), officially revealed in 2016, is finally going ‘live’ on May 25th, 2018, and is poised to drastically shake up data security and privacy for any company affected. Critically, this new framework applies in new and expansive ways to anyone dealing with the information of EU citizens, so it will affect a much wider set of businesses than a typical regulation. This primer will underline key new provisions, particularly in comparison to HIPAA and relevance for US medical companies.
The GDPR is broad in both scope of protections and who it will affect. The list of expanded or new rules is potentially overwhelming, with key provisions being:
that companies maintain detailed data records, so they know exactly what they have;
notify authorities of data breaches within three days;
implement the ability for customers to be ‘forgotten’;
enable customers to take their data, potentially to a competitor;
revamp ‘tiny print’ documents into readable text, and often get clear, affirmative consent;
and, in some circumstances, a requirement for companies to appoint a data protection officer.
Critically, these all apply not just to whoever collects a piece of data, but also those who store or process it. This will dramatically affect cloud providers such as Microsoft, IBM, Google, or Amazon. Under current frameworks, such companies often don’t know, or even want to know, all the details of the data they are storing or processing. GDPR places responsibility on those data managers for knowing what they have, and properly handling it in regard to all the above provisions.
The above list is daunting even for major multinationals with extensive resources. A recent PwC survey reported that 68% of responding companies were earmarking between $1 million and $10 million for readiness and compliance, and 9% were setting aside over $10 million. Despite this, when looking at every single company that will be affected, another analysis has predicted that over 50% will not be in full compliance by the end of 2018. [1]
Failure to comply? You risk fines of €20 million, or up to 4% of the previous year’s turnover, whichever is higher.
GDPR and Healthcare
GDPR, while affecting all personal data, has provisions for ‘sensitive personal data’ and ‘data concerning health’, with some important similarities with HIPAA. Under the GDPR, sensitive data includes data on the following:
racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation [2]
Processing the above data is prohibited unless conditions are met, the easiest (relatively) being with ‘explicit consent’ of the individual. Other approved circumstances for use include in relation to certain legal claims and procedures, specific rights and obligations regarding employment and social security, and others. Furthermore, the regulation states:
Special categories of personal data which merit higher protection should be processed for health-related purposes only where necessary to achieve those purposes for the benefit of natural persons and society as a whole [3]
Exceptions that qualify for this rule include data being used for such purposes as social care services and systems, cross-border healthcare or health security, and some research initiatives.
Obviously, GDPR is a much broader piece of regulation than HIPAA, and is concerned with a wider scope of data. GDPR’s ‘data concerning health’ is similar, however, to HIPAA’s protected health information (PHI). This could make transition for US healthcare multinationals a bit easier, but there are important differences to consider.
In the HIPAA framework, companies are either a covered entity (CE) or a business associate (BA). GDPR mirrors this somewhat, with a structure of ‘Controllers’ or ‘Processors’. Controllers (the equivalent of CEs) are the owners of personal data, while Processors, like BAs, provide processing, storage, or other solutions to the Controller, usually under data processing agreements. How these definitions are applied is the key difference: HIPAA classifies entities based on their business model and role in the healthcare system, while GDPR focuses ultimately on ownership of the data in question. Processing data for something like a wearable heart-rate monitor, for instance, could possibly not trigger HIPAA oversight, but will absolutely be covered under the GDPR.
HIPAA applies to exchanges between CEs and BAs involving PHI. It is an organization-focused ruleset, mainly concerned with data breaches and security when transmitting information between companies and organizations. GDPR, in contrast, doesn’t just apply to the relationship between business entities. It will apply to whenever a protected EU citizen’s data is collected or used, potentially anywhere in the world.
Do business in the EU, but don’t have a physical presence? The law requires you to establish a ‘representative’ there to deal with supervisory authorities and ensure compliance. No interaction with the EU at all? If you deal with the data of an EU citizen, international law, and the established cooperative relationship between the US and EU regarding data security enforcement, may still allow fines from the EU to apply.
All told, every business using personal data in the US must consider the ramifications of the GDPR, particularly if they explicitly do business in the EU. For healthcare providers and businesses, things get even trickier due to the expanded nature of the data in question. For instance, the ‘right to be forgotten’ requires companies allow customers to have access to all their personal data, take it away, and have it deleted. This provision could be fairly simple for a company which only deals with something like payment processing. Health data, though, is extensive and varied, and legacy healthcare software could make complying with all these access and deletion requirements extremely difficult.
***
Sources
[1] https://gdpr-info.eu/recitals/no-53/
[2] https://gdpr-info.eu/art-9-gdpr/
[3] https://www.pwc.com/us/en/increasing-it-effectiveness/publications/gdpr-readiness.html