A procrastinator’s guide to GDPR in healthcare


Arguably, not since Y2K has there been such a time-centric frenzy about data risk and liability as we’re seeing with the start date for GDPR in Europe on May 25th.

For those unfamiliar with the alphabet soup of the European Community, the General Data Protection Regulation (GDPR) is a directive designed to harmonize data privacy laws across Europe. With the easy migration of data across borders, what at first blush might appear to be a European directive in fact has some serious implications for American (and other non-EU) firms who have data files on customers and employees in the EU.

For readers in healthcare, GDPR adds an order of magnitude of complexity to an already complex set of rules related to patient data privacy, addressed by HIPAA and other regulations in the United States. With many US based healthcare providers expanding internationally, the data implications are compounded.

So, what do companies need to know about buttoning down personal data to make it GDPR compliant?  There are three main areas on which to focus:

Consent.  The opt-in process is incredibly uneven across all industries, and the new directive aims to make it crystal clear to the target (also known as the “data subject”) what they are opting in for and what data about themselves will be used when they do. The opt-in must be physically initiated by the subject, and default opt-ins are no longer permitted. The ability to opt-out or unsubscribe must be much clearer as opposed to the laborious process that many data companies require just to halt email blasts.

Burden of Responsibility.  The blame can no longer be shifted to data service providers as many firms did in the past. If your data technology partners are not compliant, neither are you.  One must be careful to separate the technology that the supplier uses with the actual data that you populate into that system. Illegally collected data in a compliant platform is still illegal data. These platforms include data that is stored in the cloud, so best to communicate directly with all suppliers, no matter how inconsequential the data may seem.

Security.  As important as compliant data, the directive puts teeth into security breaches and when you become aware of them. Ignorance of a breach will not be a valid excuse under the GDPR. Additionally, breach notification must be provided to data subjects no more than 72 hours after the breach has been discovered by your organization. This means that, in addition to having cybersecurity strategies, your firm must have instantaneous communications strategies that can be implemented within three days of a breach. Experience tells me that these public communications strategies can be more complex than the technologies causing the problems. Developing consistent talking points from the receptionist’s desk to the board room will be the norm given this aggressive public notice requirement.

The GDPR is far reaching and requires careful scrutiny by any company doing business in Europe, but focusing on these three areas is key as the May 25 deadline bears down on us.


  1. there are a lot of questions under this law

Speak Your Mind


This site uses Akismet to reduce spam. Learn how your comment data is processed.