The document discusses the key aspects of implementing the General Data Protection Regulation (GDPR) for organizations in the health sector. It covers definitions of important terms like genetic data and biometric data. It also summarizes the GDPR's data protection principles, lawful bases for processing personal data and special categories of personal data, individual rights for data subjects, and contractual requirements for data processors.
1. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
How to implement GDPR for
the health sector
2. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
Connect with Dmitrije
dmitrije.sirovica@brownejacobson.com
+44 (0)115 976 6238
Connect with Gerard
gerard.hanratty@brownejacobson.com
+44 (0)330 045 2159
How to implement GDPR for
the health sector
3. for news, legal updates, real
opinions and training:
https://www.linkedin.com/company
/health-and-social-care
follow our showcase page…
4. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
• key definitions
• legal grounds for processing
• guidance and tips
• questions
GDPR
5. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
– achieve consistency with the
existing system for ensuring
privacy online
• nine substantive chapters -
including specific data
processing provisions on
health
• GDPR applies from 25 May
2018
• creates a level-ish playing
field across EU
• new elements contain
measures that:
– harmonise data protection
procedures and enforcement
across the EU
What is the GDPR?
6. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
• Status, duties and powers of
national supervisory authorities
• Co-operation and consistency
between member states
• Remedies, liabilities and
sanctions
• Provisions relating to specific
data processing situations
(including health)
The nine chapters, cover:
• General Provisions
• Data protection principles
• Rights of the data subject
• Obligations on controllers and
processors
• Transfer of personal data to
third countries
Structure of the GDPR
7. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
• retention
• rights
• security
• cross-border transfers
Broad principles remain
• lawful basis
• fairness
• purpose limitation
• data minimisation
• accuracy
Similarities
8. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
• accountability and demonstrating
compliance
• enhanced transparency and fair
processing requirements
• requirement for a Data
Protection Officer (DPO) for all
public authorities
• stricter consent requirements
What is new?
9. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
• mandatory breach reporting – to
the ICO and data subjects
• significant increase in sanctions
• direct liability for data processors
• Data Protection Impact
Assessments, and requirements
of privacy by design and by
default
• records of processing
What is new?
10. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
“Personal data relating to the inherited or acquired genetic characteristics of a
person which give unique information about their physiology or the health of
that person and which results, in particular, from an analysis of a biological
sample from the person in questions”
Genetic data
11. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
“Personal data resulting from specific technical processing relating to the
physical, physiological or behavioural characteristics of a person, which all or
confirm the unique identification of that person, such as facial images or
fingerprint data”
Biometric data
12. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
“Personal data related to the physical or mental health of a person, including
the provision of health care services, which reveal information about his or her
health status”
Data concerning health
13. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
Personal data must be:
• lawfully, fairly and
transparently processed
– fair processing or privacy
notice
– being clear
Data protection
principles
14. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
Personal data must be:
• processed for a specific,
explicit and legitimate
purpose
– why are you processing?
– what is the purpose?
Data protection
principles
15. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
Personal data must be:
• adequate, relevant and
limited to what is necessary
in relation to the purpose(s)
– data minimisation – only
keep what you need
Data protection
principles
16. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
Personal data must be:
• accurate and, where
necessary, kept up to date
– reasonable steps should be
taken
• only kept for as long as is
necessary for the purpose
Data protection
principles
17. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
Personal data must be:
• processed using appropriate
technical and organisational
measures
– data security
Data protection
principles
18. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
a) consent of the data subject (must be clear affirmation)
b) processing is necessary for the performance of a contract with the data
subject or to take steps to enter into a contract
c) processing is necessary for compliance with a legal obligation
d) processing is necessary to protect the vital interests of a data subject or
another person
Lawful basis for processing personal data 6(1)
19. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
e) processing is necessary for the performance of a task carried out in the
public interest or in the exercise of official authority vested in the controller
f) necessary for the purposes of legitimate interests pursued by the controller
or a third party, except where such interests are overridden by the
interests, rights or freedoms of the data subject (does not apply to public
authorities)
Lawful basis for processing personal data 6(1)
20. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
a) explicit consent of the data subject, unless reliance on consent is prohibited
by EU or Member State law
b) processing is necessary for carrying out obligations under employment,
social security or social protection law, or a collective agreement
c) processing is necessary to protect the vital interests of a data subject or
another individual where the data subject is physically or legally incapable
of giving consent
Lawful basis for processing special category personal data
9 (2)
21. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
d) processing carried out by a not-for-profit body with a political,
philosophical, religious or trade union aim provided the processing relates
only to members or former members (or those who have regular contact
with it in connection with those purposes) and provided there is no
disclosure to a third party without consent
e) processing relates to personal data manifestly made public by the data
subject
f) processing is necessary for the establishment, exercise or defence of legal
claims or where courts are acting in their judicial capacity
Lawful basis for processing special category personal data
9 (2)
22. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
g) processing is necessary for reasons of substantial public interest on the basis
of Union or Member State law which is proportionate to the aim pursued and
which contains appropriate safeguards
h) processing is necessary for the purposes of preventative or occupational
medicine, for assessing the working capacity of the employee, medical
diagnosis, the provision of health or social care or treatment or management
of health or social care systems and services on the basis of Union or
Member State law or a contract with a health professional
Lawful basis for processing special category personal data
9 (2)
23. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
i) relates to public interest in the area of public health
j) processing is necessary for archiving purposes in the public interest, or
scientific and historical research purposes or statistical purposes in
accordance with Article 89(1)
Lawful basis for processing special category personal data
9 (2)
24. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
Consent
“any freely given, specific, informed and unambiguous indication of the data
subject’s wishes by which he or she, by a statement or by a clear affirmative
action, signifies agreement to the processing of personal data relating to him or
her”
25. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
Conditions for Consent
• Controller must be able to demonstrate that the data subject has consented
• The request for consent must be clearly distinguishable from other matters,
and presented in a manner clearly distinguishable from other matters in an
intelligible and easily accessible form, using clear and plain language
• The withdrawal of consent must be as easy as the grant of consent
• Consent is not to be regarded as freely given if there is no genuine or free
choice or is unable to withdraw consent without detriment
26. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
1. Right to information
– fair processing notice
2. Subject access rights
– free
– one month to comply
Individuals’ rights
27. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
3. Right to rectification
– data accuracy
4. Right to be forgotten
– right to erasure in certain
circumstances
5. Right to restrict processing
Individuals’ rights
28. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
6. Right to data portability
– ability to move data
7. Right to object
– right to erasure in certain
circumstances
8. Rights in relation to
automated decision making
and profiling
Individuals’ rights
29. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
Contracts between data
controllers and data processors
must include:
• subject matter and duration of
processing
• nature and purpose of processing
• type of personal data and
categories of data subject
• obligations and rights of the
controller
Contractual
requirements
30. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
• act only on written instructions
of the controller
• ensure that people processing
the data are subject to a duty of
confidence
• take appropriate measures to
ensure the security of processing
• only engage a sub-processor with
the prior consent of the data
controller and a written contract
Processors must
31. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
• assist the data controller in
providing subject access and
allow data subjects to exercise
their rights under the GDPR
• assist the data controller in
meeting its GDPR obligations in
relation to the security of
processing, notification of
personal data breaches and data
protection impact assessments
Processors must
32. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
• delete or return all personal
data to the controller as
requested at the end of the
contract
Processors must
33. Join in the conversation #GenerationGDPR Connect with our experts | LinkedIn
• submit to audits and inspections,
provide the controller with
whatever information it needs to
ensure that they are both
meeting their Article 28
obligations, and tell the
controller immediately if it is
asked to do something infringing
the GDPR or other data
protection law of the EU or a
member state
Processors must