The new GDPR will be a change in how customer data is dealt with by a business and is important for those in the eHealth sector handling data to consider, given that non-compliance with the GDPR brings with it fines of up to EUR20m or 4% of company turnover. It is also important that if a company suffers a data breach that it informs regulators within 72 hours.
eHealth Hub held its most recent workshop on the new General Data Protection Regulation (GDPR) at the eHealth Summer University in Castres, France.
Companies should begin to prepare for the GDPR and the UK Information Commissioner’s Office recommends the following 12 steps for businesses to take now to prepare:
You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.
2.- Information you hold
You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
3.- Communicating privacy information
You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
4.- Individuals’ rights
You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
5.- Subject access requests
You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
6.- Lawful basis for processing personal data
You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
9.- Data breaches
You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
10.- Data protection by design and data protection impact assessments
You should familiarise yourself now with the practice on Privacy Impact Assessments and work out how and when to implement them in your organisation.
11.- Data protection officers
You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.
If your organisation operates in more than one EU member state (ie you carry out cross-border processing), you should determine your lead data protection supervisory authority.
The GDPR will apply to companies which hold data relating to EU citizens. So regardless of whether your company is located in the EU, it will still apply should your company store or process data about EU citizens.
So to be able to follow up on these 12 steps, you should make it easier by applying this simple rule with everything you do:
“Do not gather more data then needed, and gather, use and store it correctly.”
It’s our aim at eHealth Hub to help you understand the legal changes and to break down the jargon. Lawyers love definitions, but what do they mean practically, for your business? Harmonisation (=having the same law apply in every European member state) is actually an improvement, because you do not need to understand the different laws in every single country anymore.
But it also raises questions, because it is not always clear how to practically act to follow up on these new rules and there are different agencies to engage with in each country. In our legal workshop demonstrated an illustration of an eHealth app and what to be mindful of when using medical information. When you have access to health data, you need to be aware of an even stricter regime, because health data = sensitive data.
So who is responsible for the data? Answer: the controllers. You must remember it is the businesses responsibility to understand the legal obligations, any business or organisation, small or big, there are no thresholds on size and the law applies to all. Your obligations are to your customers, clients or patients (= data subjects).
Consent is the key word to understand when handling sensitive data. Consent is active, and does not rely on silence, inactivity or pre-ticked boxes. Consent is clear and is not “bundled” with other written agreements or terms and conditions and the data subject has the right to withdraw consent at any time. So always be transparent on what you do with data be able to present it in a readable format, should customers request what the data relating to them that is held.
It’s important to act now to be prepared for the GDPR coming into effect on 25 May 2018. Don’t be caught out as the fines for non-compliance or losing your customer’s trust is much higher. Act now.