GDPR Considerations for the Healthcare Industry
The EU’s new General Data Protection Regulation (GDPR) comes into force next Friday, on May 25, 2018. With hefty, if not crippling, fines for non-compliance, it is imperative that all businesses and healthcare organizations comply with the new legislation.
What is GDPR?
Considered the “most important change in data privacy regulation in 20 years” by the EU’s GDPR Portal, this new law replaces the Data Protection Act of 1998 (DPA) in determining how personal data can be used. In an increasingly data-driven world, its aim is to protect all EU citizens from privacy and data breaches by requiring organizations to be transparent and accountable when processing data whilst also increasing the rights of individuals to know, and have better control over, the uses of their personal data.
The trouble with healthcare
Given the vast amounts of patient data held within the healthcare industry, it is highly susceptible to data breaches. Indeed, between January 2014 and December 2016, healthcare organizations accounted for 43% of all reported incidents, with the number of breaches rising by 11% in the first quarter of 2017.
With the new GDPR imposing a fine of up to €20 million (nearly USD 24 million) or 4% of annual global turnover – whichever is higher – for data breaches, compliance is of the utmost importance.
The other significant change is in scope – GDPR is applicable to all companies processing the personal data of data subjects residing in the EU, even if the organization itself is based outside of the EU. As such, all organizations need to consider their operations globally.
What do organizations need to do?
Most of the measures that healthcare organizations need to implement are process-related, such as amending policies and submitting documentation to the regulator identifying where data is stored. Here are four of the key GDPR requirements you should know about:
- Consent – Data subjects’ consent needs to be “freely given, specific, informed and unambiguous” which will require every organization to review and update their consent procedures, including their consent forms, to ensure they are written in plain and clear language.
- Purpose limitation – Organizations can only use data for purposes to which the patient has agreed, and organizations must be able to prove that they have safeguarded data correctly as part of the individual’s right to access.
- Privacy by design – Rather than being an add-on once a system has been implemented, data protection should instead be included in the designing of the system so that “appropriate technical and organizational measures” are implemented “in an effective way.”
- Training staff – Given the increased obligations under the GDPR, everyone within an organization needs to have a level of data protection awareness training — not just management. Training should cover data protection guidelines and a detailed outline of internal responsibilities.
Updating your policies and processes
All of the above changes will need to be implemented by May 25 to avoid fines, however, many of them relate to training and business awareness. These will need to be embedded into an organization over a longer period of time through the introduction and maintenance of up-to-date training. Producing such training for all members of your global organization may seem daunting, especially if you have multiple offices in multiple countries speaking multiple languages. However, enlisting an experienced language service provider like Morningside can make all the difference in reducing the stresses surrounding major regulatory changes. Morningside’s life sciences team has the regulatory knowledge and subject-matter expertise to ensure high-quality ISO-13585 certified localized training content.
GDPR is only one of several regulatory reforms for which the healthcare industry needs to prepare. For example, manufacturers of connected medical devices will also need to address changes arising from the twin EU Medical Device Regulation (EU MDR) and In Vitro Diagnostic Medical Devices (IVDR) updates — and how implementation will affect GDPR.
For example, the underlying concerns of privacy by design in the GDPR are: confidentiality, utility and integrity of data. In other regulatory frameworks governing medical devices, the focus shifts to dealing with possession or control of devices or the safety of people and assets. As such, if a business is working on its privacy by design under the GDPR, it may also need to assess the impact of MDR and IVDR at the same time to avoid re-writing processes and re-configuring systems to comply with the additional regulations.
Looking ahead, the European Medicines Agency (EMA) Clinical Trial Regulation and the EU Falsified Medicines Directive (EUFMD) will come into force in 2019. After that, the EMA has begun a phased program to implement ISO IDMP standards for the identification of medicinal products. Companies will need to comply with each of the relevant individual regulations as well as considering the interplay with GDPR. For help aligning your organization’s compliance training programs and/or marketing materials, contact Morningside and we will be happy to help.