GDPR Is Looming: Five Steps American Health Care Providers Should Take
The European Union's new privacy law, the General Data Protection Regulation (GDPR), will go into effect on May 25, 2018. For the first time, EU privacy law will have extraterritorial effect, and enforcement authorities will be able to fine U.S.-based entities, including health care providers, for noncompliance.
The law is complex and compliance is challenging, especially because obligations change depending on the nature and type of data processed by the provider, as well as the manner in which the data is received. Below are five key considerations for understanding and preparing for this new regime:
1. Determine Whether the Law Applies to Your Organization
The GDPR applies to "controllers" and "processors" of "personal data." Generally speaking, that means any data (including something as simple as an email address) that identifies a natural person who resides in the EU.
For the law to apply to a U.S. health care provider, your organization must be a "controller" or "processor" of personal data as defined in Article 3 of the GDPR. Of course, there are exceptions and nuances related to these activities, but if you are working for or with European entities or offering services in Europe, and you have personal data, the law applies in some way.
2. Determine Whether You Are a Controller or a Processor
The GDPR governs two types of entities: controllers and processors. Controllers generally dictate how data is collected, establish the basis for collecting the data and determine how the data is used. Although controllers are the primary targets of regulation, the GDPR also applies to processors. Processors receive data from controllers pursuant to written agreements and only process data pursuant to a controller’s written instructions. Most of the terms and conditions for processors to act under the GDPR are set out in Article 28. Before attempting to determine your status under the GDPR, you should consult legal counsel.
3. Some Health Data Is Entitled to Special Protections Under the GDPR
The GDPR imposes heightened protections on certain data, which may include individually identifiable genetic, biometric and other types of health information. These special protections allow such data to be processed only under certain circumstances as set forth under Article 9 of the GDPR. For example, certain protected health information (PHI) governed by the Health Insurance Portability and Accountability Act (HIPAA) would qualify if the PHI in question concerns an EU data subject.
4. Data Breach Notification Standards Are Onerous
Under HIPAA, covered entities have at least 60 days to provide notice of a data breach to the Office of Civil Rights and affected individuals. Under the GDPR, however, that time period is reduced to only 72 hours. Entities governed by the GDPR must adjust their policies, and more importantly, employee awareness of these new requirements for subject data.
5. Fines Are Very High
Fines for certain violations can escalate to 4 percent of revenue or €20 million, whichever is higher. The clear goal of allowing such large fines was to ensure awareness at the C-suite level regarding compliance. Of course, given that the regulation is not yet in effect, it is unclear how it will be enforced as a practical matter.