Part 4 of our GDPR series discusses the guidelines and their applications for Healthcare:

News of the European Union General Data Protection Regulation (GDPR) has been circulating over the course of the last two years since its announcement that all US-based organizations that employ or collect personal data of European citizens must be compliant with the new standards by a May 25, 2018 deadline. The new guidelines, somewhat similar to HIPAA compliance standards for the Healthcare industry, were conceived as a data protection reform for European countries to have stricter controls in place to protect and allow citizens more control over their personal data. While the new standards were designed to help the 28-member states of the EU better manage and protect data, US-based healthcare organizations will also be impacted as the GDPR goes into effect later this month.

While some organizations across the US have taken the news lightly, assuming that the new European standard will not impact their own business processes much, the strict applications of the GDPR are a serious matter and will almost certainly affect a majority of organizations globally at some point in time. The healthcare industry is especially vulnerable scrutiny, as they deal with the sensitive information of so many patients and employees. There are great consequences for breaches in healthcare. According to the Ponemon Institute Cost of a Data Breach Study, the healthcare industry has more costly breaches than many other industries, reaching an average of $380 per lost or stolen record in the 2017 report.

With the GDPR in place healthcare organizations will be required to have processes in place that properly manage and protect the personal data of EU residents. But considering that the new rules have not yet taken effect, it’s hard to say exactly how all of the aspects of the new framework will affect US companies. We do know, however, that proof of these processes, in compliance with the GDPR, may come in the form of requested documentation by the UK Information Commissioner’s Office (ICO). To best be prepared for the new regulatory standards, here are some key requirements that every healthcare organization should be prepared to act and report on:

Appointment, Policies and Procedures:
  • Appoint a Data Protection Officer (DPO) to be responsible for data processing
  • Record privacy and security policies and procedures
  • Implement GDPR codes of conduct
Compliance and Risk:
  • Measure privacy and security compliance controls for effectiveness
  • Implement a risk-based data processing approach
  • Determine and define risks caused by data processing activities
  • Implement Data Protection Impact Assessment
Implementation of Security Strategy:
  • Implement controls and processes that address potential security threats, vulnerabilities, and breaches
  • Manage controls for ongoing confidentiality, integrity, availability, and flexibility of systems
  • Implement pseudonymization and encryption as controls
  • Enable the restoration of availability and access to data and services in event of a security incident
  • Implement efficient processes for regularly testing, assessing, and evaluating technical and organizational measures

The healthcare industry, while not the only industry that will experience the impact of the new regulations, will likely feel immediate pressure to ensure that comprehensive measures are taken to heed the new directives set out by the GDPR. While not every US organization will be immediately effected, it’s important to remember that the GDPR is mandatory, and it will eventually be relevant. Take the necessary actions now to be ready for the challenges and requirements the GDPR requires in the collection and usage of personal data.