I had a few questions on the GDPR and thought I’ll add my two bits.
GDPR & Medicine
So this my way of explaining how GDPR will affect you. First this isn’t something new. The GENERAL DATA PROTECTION REGULATION was signed in April 2016. They allowed the whole world two years to prepare for this law that comes into effect on 25th May. If you’re just waking up to the party, you’re way behind.
Does it Apply to Me if I Practice in Timbuktu?
This law is to protect the data of every European no matter where he lives. That means that if you’re seeing a European patient, even if you’re living in the Himalayas, this law will apply to your practice and to your business/pharmacy or whatever business you’re running. Its not Euro-centric, its European-centric.
What’s the difference between the old and new law?
The old Data Protection Directive 95/46/ec law wasn’t enough to protect citizens data. We saw how major websites and social media companies were manipulating and selling the data. They’ve also come under hefty fines for this.
In the past many companies failed to warn their customers that data breaches had occurred and there was no law to protect citizens if a breach happened. Now with GDPR, the onus is on the companies to protect data and do everything they can to safeguard the data they collect.
Certain clinical trials and studies are exempt but overall every business that is collecting personal information, such as age, race, ethnicity, and biographical information must now comply with the law. Also if you employ people, and collect their data as part of your recruitment process, this law will apply.
No Implied Consent
Now every time you meet with a patient and collect data you may have to get consent. “These calls are being recorded for training purposes” doesn’t mean consent. If you’re midway talking to a patient on a telehealth portal and they ask you to stop recording their data, you may have to comply. Consent is now a big deal and has to be expressed rather than implied.
Patients have to be informed about breaches
Depending on the kind of breach, patients have to be notified about any data breach either immediately or within 72 hours of a breach.
Data Storage Encryption
This will apply if you run your own business, but all data henceforth will have to be encrypted. No data can be accessed by a single sign in. Either through tokenization or additional digital keys, data now cannot be matched to an individual. This you’re going to have to invest in if you have your business.
Hiring Data Protection Officers
In case of data issues, you must have a data protection officer who will sort it for you and also plan out your GDPR plan or strategy. This is an essential step in the regulation and companies are facing a shortage to hire these officers.
Data Portability
Patients can request their data be transferred to another company or hospital or practice. You can’t say no. You need to be able to transfer their data securely.
Right to Access
Patients have the right to ask for the data that you have about them and they have the right to inquire about the purpose for which you’re holding on to the data and what you’re using it for.
These are just some of the steps in GDPR. There are many articles and provisions. I picked the ones that seem to be the most important as far as I’ve read.
What happens if you don’t comply with GDPR?
You get a hefty penalty to the tune of 2% of the annual turnover or 20 million. Yup they are big administrative fines, which is why, businesses have been racing the clock to get ready this week.
While this regulation may seem frivolous and expensive, I honestly applaud the European Union for protecting data of their citizens and who has access to it. In taking this step, global businesses will be more careful while they have our data and who knows other countries may also follow suit.
Are you ready for GDPR? What steps has your hospital taken to get ready? We’d love to know.