What You Need To Know About The GDPR And The Health Industry

October 26, 2020

The European Union’s GDPR (the General Data Protection Regulation) came into force on May 25, 2018, and significantly changed the way in which data is managed, processed, and protected in the EU, and across the globe. It’s not just EU companies that fall under the GDPR, but also non-EU companies and organizations that handle the data of individuals who are located in the EU.

With the COVID-19 (coronavirus) pandemic upon us, many healthcare organizations are finding themselves busier than ever. With so much data to handle and process, it’s never been more important for non-EU companies to be aware of, and be compliant with, the GDPR.

Some companies have struggled to become compliant with the GDPR, and mistakes are easy to make. Especially when it comes to having an appropriate GDPR EU representative. This obligation is often overlooked but is crucial for non-EU companies’ compliance.

But what is the GDPR and what do healthcare organizations need to know about it? Keep reading to find out!

What Is The GDPR?

The GDPR came about in response to rising concerns over personal data protection. Under the GDPR, controllers and processors of personal data are required to put in place the “appropriate technical and organizational measures” needed to protect the data of individuals and to respect their data rights.

The main objective of the GDPR is to harmonize data protection laws across all countries in the European Union and to provide greater data protection safeguards to individuals in these countries. It does this by setting forward specific requirements for data protection, handling, and processing of personal data, as well as by giving explicit data rights to individuals in the EU.

GDPR And The Health Industry

The effects of the GDPR have resonated across numerous industries, and healthcare is no exception. But what kinds of challenges does the GDPR pose for companies and organizations in the healthcare industry?

To begin with, organizations must take extra care and caution when processing and handling data concerning health, genetic data and biometric data because they are classified as part of the “special categories of data” by the GDPR. Because such data is considered as “sensitive” data, health organizations must ensure that they process the data lawfully, which often means that they have to obtain explicit consent from the individuals concerned. They must also implement robust protection practices and safeguards when processing and handling this data.

It’s not always easy for health organizations to find their way through the maze of data protection obligations. This is particularly true in the case of clinical trials. Sponsors and investigators are confronted with the interplay between the Clinical Trials Regulation (CTR – which was expected to enter into force in 2020) and the GDPR, which raises a number of important questions related to the adequate legal basis, informed consent and its withdrawal, information of data subjects, transfers and secondary uses.

Health organizations must also pay special attention to which third parties they give access to sensitive data that falls under the GDPR because they have to ensure that the data is not being compromised anywhere along the chains that handle supplies, resources, and information.

The GDPR And US Healthcare Organizations

Healthcare organizations in the US should already be familiar and compliant with the Health Insurance Portability And Accountability Act (HIPAA). The HIPAA was enacted in 1996 to provide data protection for US citizens. However, the GDPR takes things a step further since it takes modern technological advancements and modern trends in data management into consideration.

As such, non-EU companies based in the US should be particularly cautious to not assume that being compliant with HIPAA means that they’re compliant with the GDPR. Although both are similar – especially as concerns the stringent security measures that govern the processing of health data – there remain numerous gaps between HIPAA and the GDPR (e.g. scope of personal data definition, data retention obligations, explicit consent requirements, data breach notification delays, etc.).

Non-EU Health Organizations And The GDPR: Two Specific Attention Points

If you are a non-EU company handling the health data of individuals in the EU, there are a couple of things that you need to be particularly watchful of.

First, you will probably have to appoint a GDPR EU representative. If you process sensitive data, for example when you conduct clinical trials in Europe or clinical trials that include the personal data of individuals in Europe, you will need to appoint an EU representative to act as your point of contact in the EU. Your GDPR EU representative will assist you with the handling of data subject access requests from individuals in the EU and requests from the EU data protection authorities, and will also keep a copy of your record of processing activities. Make sure to choose a GDPR EU representative who will keep your record in a highly secure place and who will also be able to assist you with data breach notifications to the EU data protection authorities.

It’s important to remember that your GDPR EU representative must be designated in writing and must be established in one of the member states where your data subjects are located. If you process personal data of individuals who are located in more than one EU country, you only need to appoint one GDPR EU representative and you can choose to appoint the representative in any one of those EU countries.

Secondly, don’t confuse the GDPR EU representative with other types of representatives. A very common mistake made by US companies in the health industry when it comes to appointing an EU representative is assuming that the GDPR EU representative – appointed pursuant to Article 27 of the GDPR – is the same as the legal representative required under Article 74 of EU Regulation 536 (2014). That’s incorrect. They are two different representatives. Also, the GDPR EU representative is not the same as a data protection officer (DPO). It’s not possible to appoint your DPO as your GDPR EU representative. So make sure that you have appointed the right representative(s) for the right purpose(s) in order to avoid facing heavy penalties.


Need help or want more information? Contact EDPO at www.edpo.com

Follow us on Linkedin for daily breaking GDPR news!

Get our weekly newsletter in your inbox every Monday with fresh GDPR and Data Protection news!