In this article, we delve into the specifics of GDPR compliance for healthcare entities, and take a look at the types of data that need protection, as well as the steps necessary to avoid hefty penalties.
When GDPR came into force in 2018, companies struggled to adjust to the new rules they would have to contend with, when it came to handling sensitive data.
While individuals were given greater rights over how their data was processed and shared, organisations had to establish clear processes for gaining explicit consent, handling data subject requests, and notifying the relevant authorities of any data breaches.
Healthcare organisations also had to take into consideration the fact they were handling sensitive health data, classified as special category data under GDPR, that requires even stronger protection.
However, it’s not all bad news. GDPR's stringent requirements for explicit consent, data minimisation, and enhanced security measures ensure that both organisations and patients benefit from increased data protection and transparency.
GDPR, or the General Data Protection Regulation, was brought into effect by the EU in 2018. It’s a data protection law that gives EU citizens and residents greater control over how their personal data is used, processed and shared with companies.
Under GDPR, companies must ensure they have explicit consent from individuals to process their data, and must also offer them the opportunity to access their data, as well as having it updated or deleted.
While GDPR only applies to those in the EU, similar laws such as CCPA have appeared in its stead, protecting citizens around the world.
If organisations do not comply with GDPR, they face hefty fines of up to €20 million or 4% of their global turnover - not to mention the reputational damage, and loss of customer trust they will have to contend with in the wake of a GDPR breach.
GDPR applies to all organisations operating in the EU but it’s particularly important for healthcare organisations who are handling highly sensitive data on a daily basis.
Information collected by healthcare organisations is deemed special category data under GDPR, which means there should be stricter controls in place to protect it. In order to process such data, organisations must meet one or more of the specific conditions listed in Article 9, including explicit consent, the organisation being a not-for-profit body, public health (with a basis in law) and organisations working in health or social care (with a basis in law).
Any healthcare systems and processes must follow a privacy by design model, with data protection principles integrated from the outset. Kristy Gouldsmith, Data Protection, Privacy, and Cybersecurity Partner at Spencer West LLP highlighted the importance of this in one of our recent webinars. “It's far cheaper and more efficient to embed your data protection bits at the beginning than create your shiny new thing and think, ‘where are we going to put that data protection bit now?’”
There are a number of reasons why GDPR is important for organisations as well as the patients they are serving:
There are a few different types of data that need to be protected under GDPR. Healthcare organisations will almost certainly be dealing with Special Category Data which requires extra protection, such as implementing data minimisation techniques and adding additional security measures.
Healthcare companies must protect these types of data:
PII encompasses any data that can identify an individual, like their name, address, email address, and phone number.
Any information related to someone’s health such as diagnoses, medical history, test results, and prescriptions must be protected under GDPR.
In Article 4(13) of GDPR, genetic data is defined as ‘personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.’
In Article 4(14), biometric data ‘means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic [fingerprint] data.’
Where patients must pay for their treatment, financial information related to billing must be kept safe and secure under GDPR. If unauthorised users access this, they can use it for identity theft and potentially drain patients’ bank accounts as well as exposing their health conditions.
Patients using private healthcare will share policy numbers and claims information with healthcare organisations that must be protected, in order to prevent data leakage.
There are several requirements healthcare organisations must take into account when ensuring compliance with GDPR.
Data breaches are costing healthcare organisations an average of $10.93 million, according to IBM’s 2023 Cost of a Data Breach report, but it’s not just the financial impact they have to contend with.
If an organisation is found to be in breach of GDPR, they may need to pay out hefty penalties that can reach up to €20 million or 4% of the annual global turnover, whichever is higher. Couple that with operational disruptions due to investigations, and a healthcare organisation could soon find themselves with fines piling up, little money coming in, and potentially delayed patient care.
Due to the sensitive nature of the data they process, a data breach can result in psychological distress for patients who may have to deal with the impact of identity theft and fraud, as well as the potential embarrassment that may accompany their medical history becoming public knowledge.
The organisation might also take a hit to its reputation, with 66% of people less likely to trust a company after a data breach. If this results in loss of business, it can have a further detrimental impact on the company.
Finally, as a result of the breach, healthcare organisations may face increased scrutiny from regulators in the future, prompting them to invest significantly in upgraded security systems to ensure data isn’t breached again, leading to further operational costs.
There are several steps healthcare organisations need to take to be GDPR compliant:
You can’t protect what you can’t see. The initial step in ensuring GDPR compliance is understanding where all your data is stored, the sensitivity of the data, and who has access to it.
Having a Data Protection Officer in place helps keep the business accountable for GDPR compliance, and ensures that health data is processed in the right way. The DPO doesn’t have to be a full-time employee - it can even be an external person, if necessary.
Confirm that there is a legal basis for processing personal data, such as explicit patient consent or legitimate interest.
Write up privacy notices that are easy for patients to understand, explaining how their data is used, shared, and protected.
Ensure processes are in place to handle data subject requests from patients, such as the ability to access, delete and update their records.
Regularly conduct DPIAs for high-risk processing activities to identify potential privacy risks, and mitigate them effectively.
Establish clear protocols to detect, report, and investigate data breaches, including notifying the relevant authorities within 72 hours of becoming aware of a breach.
The easiest way to ensure compliance with GDPR is to ensure your entire workforce understands how they should handle data to keep it secure. Since 74% of data breaches are due to human error, your human firewall can be a powerful way of protecting your patient data and complying with regulations.
It’s easy to assume your third-party service providers are GDPR compliant, but it’s always best to check. Make sure it’s outlined in your contracts so that they’re clear on their obligations to protect patient data as much as you are.
Metomic can assist healthcare organisations in becoming GDPR compliant by providing a comprehensive platform that streamlines data governance and compliance processes.
Here's how:
1. Data Discovery: Metomic helps healthcare organisations to identify and document the personal data they collect, store, and process - crucial for understanding where personal data resides within the organisation.
2. Data Minimisation: With automated rules at your fingertips, it couldn’t be easier to reduce the amount of redundant data you hold on to. Metomic is built for minimising attack surface, taking a weight off security teams’ minds.
3. Human Firewall: Educate your team on data security best practices with employee notifications, delivered via Slack, to help them understand where they might be going wrong, and give them a nudge in the right direction.
4. Compliance Reporting: Metomic offers reporting functionalities to monitor compliance efforts continuously.
Request a personalised demo with one of our data security experts to see how we could work for your business.