It's been more than a year since the General Data Protection Regulation (GDPR) has taken effect. The European Commission's wide-reaching law was designed to protect the privacy of EU citizens and residents while pushing businesses to handle people's personal information more sparingly and with greater security and sensitivity.
Few companies rely on personal data to a greater extent than healthcare organizations, which are already required to abide by a long list of data privacy regulations. Has GDPR made a tangible impact on the way healthcare organizations operate or has it been much ado about nothing? The truth, it seems, lies somewhere in the middle.
Who Does GDPR Affect?
In many ways, GDPR has changed the way companies around the world think about collecting, processing, and using personal data. Introduced on May 25, 2018, GDPR creates a uniform data privacy law across all 28 EU member nations to be enforced wherever data processing and management practices affect EU citizens. In other words, unless your business deals exclusively with non-Europeans, you're subject to the regulation. That means any company running a website or with any sort of presence in a cosmopolitan area must comply.
Heck, even if your (independent and website-less) hospital is tucked away deep in the American heartland, you never know who might walk through your doors. For most industries and for most responsible decision makers, GDPR is effectively a global regulation; which has a lot to do with the considerable consternation it's caused.
Of course, you can theoretically maintain one process for collecting and managing the information of EU citizens/residents and another for your general clientele, but that assumes:
- You have perfect knowledge of who is and who isn't an EU citizen/resident
- It's technologically feasible to implement corollary systems at scale
- It's operationally feasible to implement two different standard operating procedures
- The bother can be financially justified
It's exceedingly unlikely that any business of any significant size can check all those boxes. Even if they can, there's also the matter of domestic legislation to consider. GDPR is widely considered a trail blazing piece of legislation that has set a standard other countries and governing bodies are sure to copy.
Look at the UK, for example: even with the country's pending EU withdrawal, and even with Brexit still leaving the UK subject to EU laws, the British Parliament made a point of adopting GDPR requirements into domestic law under the Data Protection Act 2018.
A similar though less dramatic, example can be seen in the California Consumer Privacy Act, which was signed into law on on June 28, 2018 and goes in effect on January 1, 2020. The law has very clear and very strong GDPR influences and extends to Californians the most robust data privacy rights in the US.
Of course the UK and California are not unique and other instances of GDPR-inspired legislative initiatives from around the world abound.
What Are the Requirements Established By GDPR?
GDPR runs 88 pages and includes 99 articles. Obviously, this post will not relay the content of all 88 pages. Instead, it will focus on the most meaningful legal implications of the regulation — especially as it relates to the healthcare industry.
If you have a keen legal mind and a high tolerance for tedium, you can read the full regulation here. For the rest of us, the implications of GDPR in healthcare can be broken down to 12 main points.
- To capture and use personal data under GDPR, individual users must consent to their data being collected in the first place.
- Companies must also explicitly state how and why user data is being processed.
- GDPR significantly expands the definition of personal data to include information like IP addresses and biometric data in addition to basic identity information.
- Under GDPR, users have the right to submit a subject access request (SAR) for access to their data. Companies have 30 days to respond to such requests.
- Under certain conditions1, users also maintain the “right to be forgotten”. If for example, the explicit purposes claimed by a company in collecting and processing user data no longer applies, users can request their personal data be deleted. Here too, the company would have 30 days to respond2.
- Users can also withdraw their consent for future data collection at any time.
GDPR draws a distinction between "data controllers" and "data processors." Data controllers refers to those entities that collect data and determine the purposes and means of data processing, while data processors are those entities that advise on data collection and process the collected data on behalf of the controllers. If your company operates as both controller and processor, it is subject to the legal strictures of both.
- Under GDPR, the data controller must ensure not only that their own collection activities fall in line with GDPR requirements, but that the data processor is operating in a compliant manner.
- The data processor, in turn, is responsible for maintaining records related to the collection of data.
- Both parties are liable if there is a data breach or violation of user rights under the law.
- Companies are also required to report a data breach within 72 hours of discovering that it has occurred.
- The report must include specific details about the breach, including how many people were affected and what type of data might have been compromised.
- Certain companies are also be required to appoint a data protection officer (DPO), including companies that process significant amounts of data related to a user's genetics or health i.e. hospitals.
- Theoretically, this applies equally to non-EU businesses so long as "the core activities" of the controller or processor involve the processing of such information "on a large scale"; though the quoted terms are fairly ambiguous and can be debated.
Of course, as a matter of enforcement, non-EU entities that fail to appoint a DPO, but otherwise materially comply with GDPR are unlikely to garner much attention.
So far as suspected violations that do hold the attention of authorities are concerned, audits/investigations are conducted and instances of non-compliance can be met with potentially massive fines.
- If a company is found guilty of mishandling personal data, it could be subject to fines up to 20 million Euro or 4% of its annual revenue – whichever amount is greater.
The Controversy Over GDPR's Implementation
As it is with any sweeping policy change, GDPR's implementation was met with some controversy. Thousands of amendments were proposed during the drafting of the regulation and many companies decried the additional investment required to comply with the law's consent and data-mapping requirements. The estimated cost of GDPR compliance for all companies in the EU and U.S. is said to exceed $280 billion.
Another major concern over the implementation of the law, which was designed with an eye on large tech firms, was that it actually gave an advantage to businesses with deeper pockets. Smaller businesses, some argued, likely did not have the resources to comply with GDPR as easily as larger companies, such as Google or Facebook.
In a similar vein, some critics argued that GDPR lacked clear regulatory definitions, despite the steep fines it allows regulators to impose. Among the most hotly debated terms in the legislation was what constituted a "reasonable" level of data protection on the part of processors and controllers under Article 5 of the law. Given the potentially mammoth fines companies could be facing, the lack of clarity was disturbing to many. Other vague terms found in Article 5, such as “undue delay” of data erasure served only to compound the confusion.
Finally, some critics argued regulators would be incapable of enforcing an extraterritorial law that stretched well beyond the borders of the EU — covering companies that might not even be aware of GDPR's existence.
The Impact of GDPR In Healthcare
GDPR holds import for the healthcare industry, which is no stranger to sweeping regulations. In the US, most of those regulations are tidily packaged in the Health Insurance Portability and Accountability Act (HIPAA). Throughout the rest of the world, prior to GDPR, it's mostly been a patchwork of different and confusingly overlapping governance frameworks cobbled together over decades.
GDPR aims not only to achieve regulatory consolidation, improved clarity, and broadly supersedent jurisdiction, but also a significantly expanded scope of data protection. The most obvious way in which this is accomplished is by widening the definition of personal data and stiffening the required protection thereof. According to GDPR, there are three types of personal data that are particularly relevant to the healthcare industry:
- Data concerning health: Any data that is related to a person's physical or mental health is considered personal and protected data under GDPR. This includes any information related to the type of care they've received (as the patient's health status may be inferred).
- Genetic data: Information related to a persona's genetic makeup is also subject to GDPR protections. This includes any lab results relating to an analysis of a biological sample, as well as any characteristics that might reveal details of the patient's physiology or health.
- Biometric data: Biometrics refer to data related to someone's physical or behavioral characteristics. Such information is considered personal per GDRP (and must therefore be protected) since it can be used to identify a specific person. These include facial images, fingerprints, gait traits, and more.
Each of these types of personal data are subject to the rights GDPR conveys upon EU citizens/residents, such as the consent requirements, the HDO's obligation to justify and explain how data is collected/used, and the patient's right to erasure.
In the US, for example, it's long been common practice for healthcare organizations to retain patient data indefinitely. However, under GDPR, an EU citizen could request a healthcare organization to delete their records under certain circumstances. Healthcare organizations must now be prepared for that scenario.
Moreover, the requirements for active consent and a declaration of purpose in data collecting/processing should prompt healthcare organizations to draft new consent forms, which specifically reference the type of personal data that will be collected, explain how it will be used, and include an explicit opt-in or opt-out box for patients to check.
GDPR is similar to HIPAA in that it requires tight security measures govern the use of medical technologies and clinical assets. GDPR differs in its demand that data breaches be reported within 72 hours of discovery. Under HIPAA, healthcare organizations have 60 days to report breaches.
Naturally, to come in line with these more onerous requirements – if they haven't already – hospitals need to make some serious operational and technological changes.
What Have We Learned Since GDPR Went Into Effect?
In the year plus since GDPR went into effect, we've been able to see how regulators enforce the law in practice. After a relatively slow start, 2019 stands out as the year of enforcement.
In January 2019, French data protection authority CNIL imposed a €50 million fine on Google for what the agency said were violations of GDPR rules around transparency and processing personal data for advertising purposes. That fine was soon surpassed by the UK's Information Commissioner's Office, which imposed a £183.4 million fine on British Airways and a subsequent £99.2 million fine on Marriott for data breach-related violations.
Now it looks like Google might be hit with another penalty. In September 2019, Brave Software filed a formal complaint against the search giant and published purported evidence of how Google's Ad Exchange flouts GDPR requirements. An investigation is currently underway and, if found guilty (which seems likely), Google can face fines as high as $5.4 billion.
Given that up until 2019 the largest fine levied by GDPR oversight bodies was a measly €400,000 penalty imposed upon a Portuguese hospital, it's apparent that authorities are now looking to more aggressively enforce GDPR and are targeting large actors first and foremost. It also underscores the notion that healthcare organizations are among the few players outside of Big Tech to register on the enforcement radar.
If the past several months are any indication, businesses should expect larger fines more frequently. Failure to abide by the requirements set out in GDPR is simply asking for trouble. Businesses, including healthcare organizations, should be proactive about coming into compliance, as well as creating a widespread culture of cybersecurity to reduce their risk of breach – and the subsequent fines.
Compliance With GDPR Is Only the Beginning
GDPR is sweeping in its scope and adds stringent new requirements to any company capturing and using personal data of EU citizens or residents. Compliance is not a one-off exercise but should instead be baked into organizational structures.
When it comes to GDPR in healthcare, a critical component of compliance is the implementation of a wholesale cybersecurity strategy, complete with technological solutions that help insulate healthcare organization networks. Not only should healthcare organizations seek to use tools that provide them with a comprehensive view of their network as it currently exists, but also allows them to adapt on the fly to new threats and prevent them before they occur.
GDPR did signal a significant shift in our collective culture toward data protection and user privacy. However, legislation and compliance are just the beginning. Providing companies with a checklist they must follow in order to avoid fines might cause some movement, but deeper progress can only be made by fundamentally and organizationally prioritizing data privacy and digital security. Only when organizations are insulated from attack using strong cybersecurity tools and a comprehensive strategy can personal data truly be protected.
- In addition to the purpose of collection no longer being relevant, other conditions include:
- The withdrawal of consent when consent alone is the lawful basis for data collection.
- "Legitimate interest" is the lawful basis for data collection/processing, the individual objects to the processing of their data, and there is no basis for overriding legitimate interest.
- The data is collected/processed for direct marketing purposes and the individual objects to that processing.
- The data is collect/processed the personal data in order to offer information society services to a child.
- User data can be retained despite an erasure request if the organization requires that data in order to comply with legal obligations.