Key Points:

1. GDPR, or the General Data Protection Regulation, applies to all organisations operating in the EU.
2. For patients, it ensures greater control over their personal data, protects sensitive health information, and requires informed consent for data processing, thereby enhancing privacy rights and transparency.
3. Healthcare organisations must follow several GDPR requirements, including lawful basis for processing, data minimisation, strong security measures, prompt responses to data subject requests, and breach notifications within 72 hours.
4. Metomic helps healthcare organisations comply with GDPR by minimising the amount of data they store, and allowing them to set automated rules so that sensitive data is monitored 24/7.

When GDPR came into force in 2018, companies struggled to adjust to the new rules they would have to contend with, when it came to handling sensitive data.

While individuals were given greater rights over how their data was processed and shared, organisations had to establish clear processes for gaining explicit consent, handling data subject requests, and notifying the relevant authorities of any data breaches.

Healthcare organisations also had to take into consideration the fact they were handling sensitive health data, classified as special category data under GDPR, that requires even stronger protection.

However, it’s not all bad news. GDPR's stringent requirements for explicit consent, data minimisation, and enhanced security measures ensure that both organisations and patients benefit from increased data protection and transparency.

What is GDPR?

GDPR, or the General Data Protection Regulation, was brought into effect by the EU in 2018. It’s a data protection law that gives EU citizens and residents greater control over how their personal data is used, processed and shared with companies.

Under GDPR, companies must ensure they have explicit consent from individuals to process their data, and must also offer them the opportunity to access their data, as well as having it updated or deleted.

While GDPR only applies to those in the EU, similar laws such as CCPA have appeared in its stead, protecting citizens around the world.

If organisations do not comply with GDPR, they face hefty fines of up to €20 million or 4% of their global turnover - not to mention the reputational damage, and loss of customer trust they will have to contend with in the wake of a GDPR breach.

How is GDPR relevant to healthcare?

GDPR applies to all organisations operating in the EU but it’s particularly important for healthcare organisations who are handling highly sensitive data on a daily basis.

Information collected by healthcare organisations is deemed special category data under GDPR, which means there should be stricter controls in place to protect it. In order to process such data, organisations must meet one or more of the specific conditions listed in Article 9, including explicit consent, the organisation being a not-for-profit body, public health (with a basis in law) and organisations working in health or social care (with a basis in law).

Any healthcare systems and processes must follow a privacy by design model, with data protection principles integrated from the outset. Kristy Gouldsmith, Data Protection, Privacy, and Cybersecurity Partner at Spencer West LLP highlighted the importance of this in one of our recent webinars. “It's far cheaper and more efficient to embed your data protection bits at the beginning than create your shiny new thing and think, ‘where are we going to put that data protection bit now?’”

Why is it important for organisations and patients?

There are a number of reasons why GDPR is important for organisations as well as the patients they are serving:

Organisations

1. Enhancing Trust: Complying with GDPR helps organisations to demonstrate that they have their patients interests’ at heart, and can be relied upon to protect highly sensitive data.
2. Next Level Security: While ensuring compliance with GDPR, organisations will inevitably enhance their security measures, making it more difficult for cybercriminals to hack into systems, or for negligent employees to leak data accidentally.
3. Ensures Accountability: Where previously, there may not have been someone overseeing data security within a healthcare setting, GDPR requires a Data Protection Officer to be in place to ensure data is secured.

Patients:

1. Data Privacy Rights: GDPR gives individuals much greater control over their personal data, including the right to access it and have it deleted, enhancing their privacy rights when it comes to healthcare, in particular.
2. Protected Data: Sensitive information such as medical history, or ongoing conditions, can be embarrassing or detrimental for patients, if such data were to be leaked. Knowing it’s protected by GDPR regulations can be reassuring for individuals who might be dealing with ongoing issues they might not want their employer, their family, or the public to know about.
3. Giving Informed Consent: Under GDPR, patients are fully aware of how their data is used, and must provide explicit consent for it to be processed, ensuring they get full transparency from healthcare organisations.

What data needs to be protected?

There are a few different types of data that need to be protected under GDPR. Healthcare organisations will almost certainly be dealing with Special Category Data which requires extra protection, such as implementing data minimisation techniques and adding additional security measures.

Healthcare companies must protect these types of data:

1. Personally Identifiable Information (PII)

PII encompasses any data that can identify an individual, like their name, address, email address, and phone number.

2. Health Data (Special Category Data)

Any information related to someone’s health such as diagnoses, medical history, test results, and prescriptions must be protected under GDPR.

3. Genetic Data (Special Category Data)

In Article 4(13) of GDPR, genetic data is defined as ‘personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.’

4. Biometric Data (Special Category Data)

In Article 4(14), biometric data ‘means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic [fingerprint] data.’

5. Financial Information

Where patients must pay for their treatment, financial information related to billing must be kept safe and secure under GDPR. If unauthorised users access this, they can use it for identity theft and potentially drain patients’ bank accounts as well as exposing their health conditions.

6. Insurance Information

Patients using private healthcare will share policy numbers and claims information with healthcare organisations that must be protected, in order to prevent data leakage.

What are the GDPR requirements for healthcare organisations?

There are several requirements healthcare organisations must take into account when ensuring compliance with GDPR.

• Lawful Basis for Processing: All organisations must have a documented process that outlines how they will gather explicit consent for processing personal data, and why it is necessary for the medical treatment provided. Explicit consent must be given by patients before their data is processed.
• Data Minimisation: Data should only be collected for its intended purpose, and deleted when it is no longer needed. Data retention periods can help to reduce the amount of data across a healthcare organisation’s ecosystem, as well as the ability to determine if there are any documents that haven't been updated in a while - both of which are possible with Metomic.
• Strong Data Security Measures: The data that is collected needs to be protected well, with extra safeguards for special category data to ensure unauthorised access is denied.
• Promptly Respond to Data Subject Requests: Patients who have requested access, amendments or deletion of their data, must have their demands met within one month. This means that healthcare organisations must understand where data is stored and who has access to it, in order to fulfil these requirements promptly.
• Data Breach Notification: If a high-risk data breach occurs, healthcare organisations have 72 hours to inform the Information Commissioners’ Office (ICO) and let affected individuals know that data has been accessed by unauthorised users, under GDPR rules.
• Keep Documentation: In order to fulfil audit requirements, healthcare organisations should maintain records of data processing activities, and conduct regular Data Protection Impact Assessments (DPIAs) to determine risks to patient data, and how they can be minimised.

What are the risks of breaches and what are the implications?

1. Financial implications

Data breaches are costing healthcare organisations an average of $10.93 million, according to IBM’s 2023 Cost of a Data Breach report, but it’s not just the financial impact they have to contend with.

If an organisation is found to be in breach of GDPR, they may need to pay out hefty penalties that can reach up to €20 million or 4% of the annual global turnover, whichever is higher. Couple that with operational disruptions due to investigations, and a healthcare organisation could soon find themselves with fines piling up, little money coming in, and potentially delayed patient care.

2. Patient distress

Due to the sensitive nature of the data they process, a data breach can result in psychological distress for patients who may have to deal with the impact of identity theft and fraud, as well as the potential embarrassment that may accompany their medical history becoming public knowledge.

3. Damaged reputation

The organisation might also take a hit to its reputation, with 66% of people less likely to trust a company after a data breach. If this results in loss of business, it can have a further detrimental impact on the company.

4. Increased scrutiny

Finally, as a result of the breach, healthcare organisations may face increased scrutiny from regulators in the future, prompting them to invest significantly in upgraded security systems to ensure data isn’t breached again, leading to further operational costs.

What do healthcare organisations need to do to be GDPR compliant?

There are several steps healthcare organisations need to take to be GDPR compliant:

1. Data Discovery and Mapping

You can’t protect what you can’t see. The initial step in ensuring GDPR compliance is understanding where all your data is stored, the sensitivity of the data, and who has access to it.

2. Appoint a DPO

Having a Data Protection Officer in place helps keep the business accountable for GDPR compliance, and ensures that health data is processed in the right way. The DPO doesn’t have to be a full-time employee - it can even be an external person, if necessary.

3. Lawful Basis for Processing

Confirm that there is a legal basis for processing personal data, such as explicit patient consent or legitimate interest.

4. Clear Privacy Notices

Write up privacy notices that are easy for patients to understand, explaining how their data is used, shared, and protected.

5. Handle Data Subject Rights

Ensure processes are in place to handle data subject requests from patients, such as the ability to access, delete and update their records.

6. Conduct Regular DPIAs

Regularly conduct DPIAs for high-risk processing activities to identify potential privacy risks, and mitigate them effectively.

7. Breach Notification Protocols

Establish clear protocols to detect, report, and investigate data breaches, including notifying the relevant authorities within 72 hours of becoming aware of a breach.

8. Build a Human Firewall‍

The easiest way to ensure compliance with GDPR is to ensure your entire workforce understands how they should handle data to keep it secure. Since 74% of data breaches are due to human error, your human firewall can be a powerful way of protecting your patient data and complying with regulations.

9. Assess Vendor Risk

It’s easy to assume your third-party service providers are GDPR compliant, but it’s always best to check. Make sure it’s outlined in your contracts so that they’re clear on their obligations to protect patient data as much as you are.

How can Metomic help?

Metomic can assist healthcare organisations in becoming GDPR compliant by providing a comprehensive platform that streamlines data governance and compliance processes.

Here's how:

1. Data Discovery: Metomic helps healthcare organisations to identify and document the personal data they collect, store, and process - crucial for understanding where personal data resides within the organisation.

2. Data Minimisation: With automated rules at your fingertips, it couldn’t be easier to reduce the amount of redundant data you hold on to. Metomic is built for minimising attack surface, taking a weight off security teams’ minds.

3. Human Firewall: Educate your team on data security best practices with employee notifications, delivered via Slack, to help them understand where they might be going wrong, and give them a nudge in the right direction.

4. Compliance Reporting: Metomic offers reporting functionalities to monitor compliance efforts continuously.

Request a personalised demo with one of our data security experts to see how we could work for your business.