Four years after its adoption by the European Parliament, the General Data Protection Regulations (GDPR) – a set of compliance requirements designed to give individuals greater control over their personal data in an increasingly digital economy- finally went into effect on May 25, 2018.
GDPR’s overall scope is broad, impacting all personal data (ie, any data that can be used to directly or indirectly identify a living person, including genetic, psychological, cultural, religious and/or socioeconomic).
GDPR’s Global Reach
Among its many reforms, GDPR also seeks to protect sensitive patient data (protected health information, PHI) by ensuring it is collected legally, secured appropriately, and preserved from unauthorized use by those who manage it. And lest you think a US-based, HIPAA compliant IT company offering cloud services is automatically exempt from an EU ruling, you should know it isn’t necessarily so – in part because of the global nature of cloud services. Data handlers in the US who serve clients under EU jurisdiction will need to abide by GDPR for those clients.
The primary reason for this is that GDPR is actually designed to be consumer-centric. This means that any data management company, whether in the US or another non-EU country, is obligated to adhere to GDPR if they want to host the data of a citizen from the EU. A US-based data company in Silicon Valley, for example, would clearly be impacted and obliged to abide by GDPR mandates if handling data for a customer with citizens under EU jurisdiction.
When it comes to protected health information (PHI) – regulated by HIPAA in the US – the primary focus is on protecting patient records from unauthorized disclosure. It is American organizations – hospitals, health clearinghouses, and financial/administrative healthcare providers that are in view, as opposed to individuals.
How Does GDPR Relate to HIPAA?
In contrast, GDPR seeks to cut a much broader swath with its regulations, addressing a number of areas on which HIPAA is silent. To cite one example: GDPR includes permissions for the processing of health-related data for political, philosophical, religious, or trade unions of members or former members – with “explicit consent” from the individual. This is a higher standard than that used for other forms of personal data. Interested parties can see further specifics and differences in relation to HIPAA regulations here:
Like HIPAA, GDPR imposes significant fines for non-compliance, based on criteria ranging from the nature of the infringement (number of people affected, duration, and damage suffered, etc.) to preventative measures taken (previous levels of implementation), to the type of data infringement. Fines may be as high as €10 million for lower level infringements, and up to €20 million for upper level – far exceeding the maximum 1.5 million per year for HIPAA violations. It behooves companies impacted by GDPR to ensure that they (or their managed service provider) understands and meets these compliance regulations for handling PHI, and updates their stated policies to reflect that.
Here are some additional hallmarks of GDPR, from a general data processing and storage standpoint:
- There is a limit for how long data can be stored. This has been called “the right to erasure,” or “the right to be forgotten.” (Note: consider how vastly different this is from a company like Google that holds on to your data, whether you delete it or not). Application? Data storage companies must first know where their client’s data resides – which means data flow mapping will be crucial. Following this, they must have the ability to completely erase all personal data they process about a particular person, upon request.
- Data may be processed only if that data is “adequate, relevant and limited to what is necessary for the purpose for which they are processed.” Under GDPR, data not required for business purposes should be deleted.
- Personal data shall be protected from unauthorized access, illegal processing, and loss. In this instance, the regulation points out pseudonymization and encryption of data. Furthermore, the “ability to ensure availability and resilience of processing systems and services” is vital.
The protection of personal data continues to be an evolving process, and GDPR offers some promising signs that a global response is warranted. Companies that do business with the EU, especially those impacted by past data breaches, can see this as an encouraging move towards that end.