The General Data Protection Regulation (GDPR) comes into force on 25 May 2018 – and any organisation that handles EU residents’ personal information must comply with it. This includes the private and public healthcare sectors, and affects not only medical histories – considered ‘sensitive data’ – but also personal data.
Healthcare providers must ensure that they comply with the requirements of public authorities and are able to demonstrate that they are protecting their patients’ information adequately. Any hospital or other healthcare organisation must also verify its patients’ identities, and create an accurate system that allows for the erasure or rectification of their data.
Three categories of health data
- Genetic data is contained within Article 9 of the GDPR: “Processing of special categories of personal data”. Recital 13 defines it as “personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question”.
- Biometric data, when it is used for “uniquely identifying a natural person”, is also included in Article 9 of the Regulation. Recital 14 defines it as “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data”.
- Data concerning health also included in Article 9, is defined in Recital 15 as “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status”.
Three key steps to comply
Although there are many steps to GDPR compliance, we want to highlight three of them that healthcare organisations should undertake:
- Accountability. Organisations must establish a GDPR compliance programme. To achieve this, we recommend conducting a gap analysis that will describe your current level of compliance with the GDPR. It will also identify the location of your internal capabilities.
- Data protection officer (DPO). Appointing a DPO is mandatory if your organisation processes special categories of data (as listed in Article 9 of the GDPR) and personal data relating to criminal convictions and offences on a large scale. It is also compulsory when data processing operations require regular and systematic monitoring of data subjects on a large scale.
- Data protection impact assessments (DPIAs). Organisations must clarify who is responsible for DPIAs, when they are needed, and revise procedures and policies to support DPIA practices.
We recommend kick-starting your GDPR compliance project by enrolling on one of our GDPR Foundation courses across Europe. This course provides a comprehensive introduction to the Regulation and an overview of the legal requirements for organisations.