With just over half a year to go before the General Data Protection Regulation comes into effect, Ioanna Michalopoulou, Managing Partner at Michalopoulou & Associates, answers some questions about the forthcoming regulation.
What are the implications of the GDPR for the healthcare industry?
The General Data Protection Regulation (GDPR) introduces a new data protection map for the healthcare industry. Healthcare providers, pharmaceutical and medical device companies, contract research organizations, health insurance companies and their contracting parties are obliged to comply with the new requirements and adopt new technical and organizational measures. Fines for non-compliance are set to be as high as to 4% of their previous year’s global annual turnover. Furthermore, businesses acting as controllers are required to conduct a data protection impact assessment to evaluate individual rights risks from data processing operations. Businesses established outside the EU will be also subject to GDPR rules if they process personal data of EU-based individuals and offer goods or services to individuals within the EU or monitor the behavior of data subjects within the EU.
You mentioned new measures should be adopted. Could you elaborate?
Data controllers will introduce data protection by design and by default into their processing systems, for example data minimization. As of May 25, 2018, each service or business process that makes use of personal data must take its protection into consideration. Privacy by default means that the strictest privacy settings apply automatically once a customer acquires a new product or service. In other words, no manual change to the privacy settings should be required on the part of the user. Pseudonymization could be another measure as well.
The difference between anonymous and pseudonymous data often confuses many life sciences stakeholders. When do the GDPR requirements apply?
From my 20 years’ experience in health law, I must admit that anonymous data is the optimum common practice in the life sciences industry, especially in the context of clinical trials. According to the GDPR, the data protection principles apply to any information concerning an identified or identifiable individual. Personal data that have undergone pseudonymization but which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. As a result, pseudonymous data will be handled as personal data and be subject to GDPR provisions. Anonymous data that cannot be attributed to an individual are not considered as personal data.
How does the empowerment of data subjects affect health companies?
The GDPR establishes new rights, such as the right to be forgotten and the right to portability. The right to be forgotten means that a subject, for example a trial participant, can at any time request that all their data be deleted “without undue delay.” The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
The GDPR mandates the appointment of Data Protection Officers (DPO). What will their role be in the healthcare industry?
DPOs will play a key role in the coming healthcare scene. Data controllers and data processors in the healthcare sector must designate a DPO and provide them with all necessary resources as part of their accountability programs. The DPO’s tasks include providing information and advice, monitoring compliance with the GDPR, and cooperating with the Supervisory Authority. With just over half a year to go before the General Data Protection Regulation comes into effect, Ioanna Michalopoulou, Managing Partner at Michalopoulou & Associates, answers some questions about the forthcoming regulation.
The article under the title “GDPR: Revolutionary Changes for the Healthcare Industry” by Mrs Ioanna Michalopoulou was published in the September-October 2017 issue of the magazine “Business Partners” of the American-Hellenic Chamber of Commerce.