What do healthcare organisations need to consider when preparing for GDPR?

As we know the new rules brought in by GDPR will reinforce current legislation with the addition of some new requirements. Any organisation, including those in the healthcare sector, controlling or processing personally identifiable data will need to comply with GDPR.

As well as a general definition for personally identifiable data, there are three special references to data concerning health in the new regulation:

  • “Data concerning health” is defined by the GDPR as “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status”.
  • “Genetic data” is defined by the GDPR as “personal data relating to inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.”
  • Finally,“Biometric data” is “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.”

These data concerning health will be subject to a higher standard of protection than personal data in general. The processing of these three forms of health data is prohibited unless one of several conditions applies.

These health-specific conditions are as follows:

  • The data subject must have given “explicit consent” to the processing.
  • “Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services[… ].”
  • “Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices [… ].”

Importantly, the requirement for processing to be proven to be ‘necessary’ is an important condition and can be subject to legal interpretation.

What are the main challenges facing healthcare organisations/providers as they get ready to comply with the new regulations and how can they overcome them?

There are a number of challenges which to many may seem daunting, these include breach reporting, preparing staff, an approaching deadline and reviewing processes currently in place. However, the GDPR doesn’t pose a threat if healthcare organisations and providers act now.

Staff training needs to be a focus so that employees understand the affect it will have on their role but also so that they are confident and knowledgeable on the GDPR. It also gives chance for organisations to update or implement new processes that will not only help comply with the new legislation, but can also have additional benefits such as improving efficiency.

Teams should also look to undertake an assessment of the impact of the anticipated processing activities on personal data. These Data Protection Impact Assessments (DIPAs) could identify security risks for example, which could be alleviated or eliminated through training or software.

Organisations also need to ensure that plans are in place to effectively deal with breaches and to report them appropriately, ensuring all parties are notified within the 72-hour time frame.

Will GDPR improve the relationship between healthcare organisations/providers and their customers?

The GDPR will almost certainly lead to improved relationships between healthcare organisations and their customers. This is largely due to the confidence customers will now have knowing that their personal information is secure and that it can be easily accessed by themselves if required.

Customers will be assured that organisations only hold their personal information if they have permitted them to do so and it can only be used in the ways they have specifically outlined. However, organisations and providers need to ensure that they are always transparent as situations such as failure to alert a customer to a data breach or misuse of customer information will damage relationships.

Using the data to your advantage

Although many may view the GDPR as a box ticking exercise, those who see it as an opportunity will be able to utilise the aspects required for compliance to their advantage. This includes information being up-to-date and accurate, easily identified, stored for no longer than required and being protected from loss, damage and unauthorised or unlawful processing.

Whilst in the short term collecting information could prove trickier, due to the consent issue with the change from ‘opt out’ to ‘opt in, firms will find that having a database that is up-to-date and streamlined with individuals happy for their details to be held means that communication efforts can be more targeted as well as being met by a more engaged audience.

Overall the GDPR must be seen as an opportunity for organisations in the healthcare profession as it will provide them a number of benefits that I have touched on already; greater customer satisfaction, improved processes, greater understanding of your data and help avoid serious fines. With the deadline looming it’s important to act now to be ready for the new law.

By Kristina RussellSales Manager, Kefron


European Data Protection Summit will take place on June 3rd in Central London and will play host to 800 DPO’s, Security Professionals and senior business decision makers looking for; information, updates, clarity, advice and solutions. For more information, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.