How many emails have you received in your inbox over the past month mentioning GDPR? While it seems like a new marketing slogan, it is actually a groundbreaking European Union Law that may change how we all think about data privacy. There is a lot of buzz today about General Data Protection Regulation (GDPR) in the business and technology media as global firms make a mad dash to ensure their compliance by May 25. What is it exactly? How are you impacted?
GDPR went into effect on May 25, 2018 after two years of preparation. Consumers around the world are starting to see impacts through notices on updated privacy policies, email requests to opt in to communication and billboards offering legal advice and action on failure to comply with GDPR.
GDPR outlines comprehensive privacy protections for persons that are subjects of the EU and goes as far as to state that these protections are a fundamental right. It applies to any firm that uses (or “processes”) EU subject data. The regulation gives people more control over their personal data. This control grants the right to:
GDPR is also opt-in rather than opt-out – meaning that a person must consent to their data being processed in accordance with GDPR guidelines, that consent needs to be plain and transparent, and the person can withdraw their consent at any time. The regulation stipulates that the use of data by firms must be “lawful, fair, transparent, and relevant to reasons why consent was given” (EUR-Lex 2016). Noncompliance with GDPR may result in reprimands, penalties, or administrative fines. Those penalties may be criminal depending on the EU country.
Although GDPR only applies to firms that process EU subject data, there are a number of ways that GDPR could impact US healthcare. Any business, healthcare organization or otherwise, that stores or uses the data of EU subjects is impacted. GDPR compliance can be a lengthy and challenging process for businesses undertaking advanced data protections, quality, and risk management for the first time. US healthcare providers such as large health systems, hospitals, and clinics could see some impact based on how their vendors react to GDPR compliance, if those vendors operate in Europe.
In addition, although many aspects of GDPR overlap with HIPAA requirements, GDPR has exclusive components as well. There is some speculation that a US general data production regulation may come in the near future and be modeled on EU law. If that happens all US healthcare providers will be heavily impacted as well and may need to look to advanced data governance processes and technologies in addition to creating new FTE positions to manage long-term compliance.
If you are a US healthcare business or a healthcare provider and you have questions about how GDPR impacts you directly, please contact us to set up a conversation.