On May 25th, 2018, the EU new data protection reform went into effect in order to give consumer more power over their personal data. Below we outline the implications of these new standards for data protection and what you should know going forward. Much like the recent changes to EU VAT law, it affects any company that does business with, or has customers in, the EU member states. It is automatically applicable across all member states.
Impact on medical devices:
The GDPR strengthens the existing requirements of IoT devices in relation to data subject consent.
Consent cannot be assumed, and that consent should not be regarded as freely given if the data subject has no free choice or is unable to refuse consent without a negative impact.
Consent is invalid "in a specific case where there is a clear imbalance between the data subject and the controller"
This will be a tricky one in practice for business models that entail provision of services to the clinical profession and institutions
The GDPR increases the risk related to a consent-based business model considerably by imposing additional and onerous requirements with respect to informed consent
There is a requirement to provide intelligible consent language and to obtain consent by affirmative action
In addition, the concept of grandfathering will not apply. Existing consents do not remain valid if they do not meet the new requirements
How GDPR Redefines "health data"
All data relating to the past, present and future physical or mental health status of the subject
Information collected during registration
A number or other piece of data assigned to a person to uniquely identify their health data
Information from testing or examination
Information on a disease, disability, disease risk, medical history, clinical treatment, or the physiological or biomedical state of the subject
Consent must be specific, informed, freely given and must be positively given, rather than assumed or via an opt-out condition
However, EU member states have the option of introducing their own conditions about the management and processing of genetic data and biometric data
Inclusion of Privacy Impact Statements (PIA):
Regulations require all companies that process personal health data to conduct a Privacy Impact Assessment (PIA) prior to the processing
A PIA is defined as
A systematic description of the envisaged processing operations and the purposes of the processing
An assessment of the necessity and proportionality of the processing operations in relation to the purposes.
An assessment of the risks to the rights and freedoms of data subjects
The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR taking into account the rights and legitimate interests of data subjects and other persons concerned
Impossible for children under the age of 13 to give consent about their own data, when it comes to online services
The situation for children under 16 will be decided by each member state.
Informing the data subject of profiling and its details in advance, more specifically "meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject";
In case of profiling based on data concerning health obtaining explicit informed consent from the data subject for that profiling;
When profiling is based on personal data concerning health performing PIA before commencing ; and
Implementing suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
Expect manufacturers to have a steep learning curve in explaining their profiling to their patients in a meaningful way, performing PIAs and implementing measures to address the risks identified as most companies currently see obtaining meaningful (or even legal) informed consent as an inconvenience
Personal data breaches have to be notified to the competent DPA without undue delay, but in any event in less than 72 hours after becoming aware of the breach (unless a delay can be justified), and notify the data subjects concerned if their interests may be affected
A personal data breach is a "breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed"
This means that the obligation can be triggered regardless of whether data was stolen or deleted after a security breach
What exactly constitutes a security breach will be further defined in guidelines by the new European Data Protection Board
Export of Data to Extra-EU Jurisdictions
Export of personal data outside the EEA will remain only permissible with adequate level of protection, much like is currently the case and the export requirements will not be materially different
The question is however if the Privacy Shield for export to the US will ever be accepted and what the member states will do, as they retain the competence to maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health
This means that e.g. the French healthcare data hosting requirements and similar national measures will continue to exist.
What You Need To Know About GDPR
GDPR protects all EU citizens no matter where they live and no matter with whom they're doing business, meaning that American companies with EU customers are squarely subject to GDPR requirements and, worse, penalties
According to a recent report from Crowd Research Partners, only 7 percent of companies are on track to be GDPR-compliant by its deadline
A piece of data with a European address will most likely be interpreted as European
Bigger companies will face the most scrutiny, but that does not mean smaller businesses are not also legally liable
How Can You Protect Your Business?
The GDPR will now require businesses to appoint a DPO or Data Protection Officer, who is someone who has "expert knowledge of data protection law and practices," but the GDPR does not define the specific credentials one should have
To hire the right DPO, you'll need to ensure they have expertise in data protection law and practices and a complete understanding of your IT infrastructure, technology, and technical and organizational structure
You may designate an existing employee as your DPO, or you may hire a DPO externally.
Companies and organizations should look for candidates that can manage data protection and compliance internally while reporting non-compliance to the proper Supervisory Authorities
if you're looking to develop this talent in-house, then a good bet is to search English-speaking, European online learning resources, many of which have developed GDPR DPO courseware for this purpose
In order to stay compliant, you'll need to employ at least one encryption method for physical servers, network attached storage (NAS), disks and drives, and network access
You'll need to cut out any practices that access or process data for unauthorized purposes, constantly monitor and verify data to ensure relevance, and completely and irreversibly purge customer data when asked to do so