GDPR: What You Should Know


On May 25th, 2018, the EU new data protection reform went into effect in order to give consumer more power over their personal data. Below we outline the implications of these new standards for data protection and what you should know going forward. Much like the recent changes to EU VAT law, it affects any company that does business with, or has customers in, the EU member states. It is automatically applicable across all member states.

Impact on medical devices:

  • The GDPR strengthens the existing requirements of IoT devices in relation to data subject consent.

  • Consent cannot be assumed, and that consent should not be regarded as freely given if the data subject has no free choice or is unable to refuse consent without a negative impact.

  • Consent is invalid "in a specific case where there is a clear imbalance between the data subject and the controller"

    • This will be a tricky one in practice for business models that entail provision of services to the clinical profession and institutions

    • The GDPR increases the risk related to a consent-based business model considerably by imposing additional and onerous requirements with respect to informed consent

  • There is a requirement to provide intelligible consent language and to obtain consent by affirmative action

  • In addition, the concept of grandfathering will not apply. Existing consents do not remain valid if they do not meet the new requirements

 How GDPR Redefines "health data" 

  • All data relating to the past, present and future physical or mental health status of the subject

  • Information collected during registration

  • A number or other piece of data assigned to a person to uniquely identify their health data

  • Information from testing or examination

  • Information on a disease, disability, disease risk, medical history, clinical treatment, or the physiological or biomedical state of the subject

  • Consent must be specific, informed, freely given and must be positively given, rather than assumed or via an opt-out condition

  • However, EU member states have the option of introducing their own conditions about the management and processing of genetic data and biometric data

Inclusion of Privacy Impact Statements (PIA):

  • Regulations require all companies that process personal health data to conduct a Privacy Impact Assessment (PIA) prior to the processing

    • A PIA is defined as

      • A systematic description of the envisaged processing operations and the purposes of the processing

      • An assessment of the necessity and proportionality of the processing operations in relation to the purposes.

      • An assessment of the risks to the rights and freedoms of data subjects

      • The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR taking into account the rights and legitimate interests of data subjects and other persons concerned

Children's Data:

  • Impossible for children under the age of 13 to give consent about their own data, when it comes to online services

  • The situation for children under 16 will be decided by each member state.

Profiling requirements:

  • Informing the data subject of profiling and its details in advance, more specifically "meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject";

  • In case of profiling based on data concerning health obtaining explicit informed consent from the data subject for that profiling;

  • When profiling is based on personal data concerning health performing PIA before commencing ; and

  • Implementing suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

  • Expect manufacturers to have a steep learning curve in explaining their profiling to their patients in a meaningful way, performing PIAs and implementing measures to address the risks identified as most companies currently see obtaining meaningful (or even legal) informed consent as an inconvenience

Security Requirements:

  • Personal data breaches have to be notified to the competent DPA without undue delay, but in any event in less than 72 hours after becoming aware of the breach (unless a delay can be justified), and notify the data subjects concerned if their interests may be affected

  • A personal data breach is a "breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed"

  • This means that the obligation can be triggered regardless of whether data was stolen or deleted after a security breach

  • What exactly constitutes a security breach will be further defined in guidelines by the new European Data Protection Board

Export of Data to Extra-EU Jurisdictions

  • Export of personal data outside the EEA will remain only permissible with adequate level of protection, much like is currently the case and the export requirements will not be materially different

  • The question is however if the Privacy Shield for export to the US will ever be accepted and what the member states will do, as they retain the competence to maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health

  • This means that e.g. the French healthcare data hosting requirements and similar national measures will continue to exist.

What You Need To Know About GDPR

  • GDPR protects all EU citizens no matter where they live and no matter with whom they're doing business, meaning that American companies with EU customers are squarely subject to GDPR requirements and, worse, penalties

  • According to a recent report from Crowd Research Partners, only 7 percent of companies are on track to be GDPR-compliant by its deadline

  • A piece of data with a European address will most likely be interpreted as European

  • Bigger companies will face the most scrutiny, but that does not mean smaller businesses are not also legally liable

How Can You Protect Your Business?

  • The GDPR will now require businesses to appoint a DPO or Data Protection Officer, who is someone who has "expert knowledge of data protection law and practices," but the GDPR does not define the specific credentials one should have

    • To hire the right DPO, you'll need to ensure they have expertise in data protection law and practices and a complete understanding of your IT infrastructure, technology, and technical and organizational structure

    • You may designate an existing employee as your DPO, or you may hire a DPO externally.

    • Companies and organizations should look for candidates that can manage data protection and compliance internally while reporting non-compliance to the proper Supervisory Authorities

    • if you're looking to develop this talent in-house, then a good bet is to search English-speaking, European online learning resources, many of which have developed GDPR DPO courseware for this purpose

  • In order to stay compliant, you'll need to employ at least one encryption method for physical servers, network attached storage (NAS), disks and drives, and network access

  • You'll need to cut out any practices that access or process data for unauthorized purposes, constantly monitor and verify data to ensure relevance, and completely and irreversibly purge customer data when asked to do so