In January 2016, we held a Legal SIG (special interest group) at the London HQ of Olswang. Speakers included Juma El-Awaisi of Braci, Ross McKean of Olswang and Ken Munro of Pen Test Partners. Ken's presentation was interactive so slides are coming soon!
11. 8 People with Hearing Aids
Going to bed
Taking a shower
They have to remove it
12. £ 1,600
NO
NO
YES
Bellman Puzzle Detect
£ 40
Braci
£ 640
9 Competitors
Price
Number of sounds
Wearable notifications
Installation Required
Max 5 Sounds Max 5 Sounds +20 Sounds
International Emergency
NO
NO
YES
Yes
Yes
NO
13. 10 Business Model
Revenue Stream
Strategy
Braci App Other forms of
Notifications
Organizations Manufacturers
Licensing of the
Algorithm
Individuals
14. 11 Business Model
Deaf & Hard of
Hearing People who
snore
Parents
Universities
Deaf CentersHotels
City Councils
Car
Manufactures
Smartphone
Manufactures
Other
Manufactures
Cyclists
ManufacturersOrganizationsIndividuals
21. |
Connected Healthcare:
data protection issues in the context of wearables
Ross McKean, Partner, Olswang LLP
28 January 2016
Data protection issues in the context of wearables
21
22. |
Happy Data Protection Day!
2 February, 2016Data protection issues in the context of wearables22
23. | 2 February, 2016Data protection issues in the context of wearables23
• Why all the fuss about GDPR?
• How does GDPR address health data?
• Implications for wearables and connected health
• Takeaways
Agenda
24. |
The small print
2 February, 2016Data protection issues in the context of wearables24
• The text of GDPR may change before its formal publication in the EU Official Journal this
summer (though only minor formatting changes are expected). This presentation is
based on the latest public version of the text available here.
• GDPR is the output of 4 years of intense lobbying and negotiation in Brussels and is full
of vague text and derogations allowing Member States to “gold plate”. There is currently
no guidance or jurisprudence considering the practical application of GDPR.
Organisations processing health data should therefore keep a watching brief as best
practice develops and guidance is issued – and monitor Member State laws which are
passed or retained concerning health data.
25. |
What is GDPR?
2 February, 2016Data protection issues in the context of wearables25
• Europe’s new General Data Protection
Regulation
• (Nearly) final text agreed in December
following a marathon 4 year negotiation
• Expected to be published in the Official
Journal in May / June this year and come
into force in mid 2018 simultaneously in all
28 Member States
• Will replace the current Directive
95/46/EC and domestic laws
implementing the Directive
• Completely changes the game for data
governance
• 4% fines of annual worldwide revenue for
failing to comply with new requirements
• Applies to more data (wider definition of
personal data) and to more organisations
(processors now caught + wider
applicable law test)
• Enhanced rights for individuals
• Tighter rules for valid consent
• European-wide data breach notification
requirement
• Extra paperwork
• Extra compliance costs – including need
to appoint a DPO
26. |
How does GDPR address health data?
2 February, 2016Data protection issues in the context of wearables26
• New definitions of “genetic data”,
“biometric data” and “data concerning
health”.
• All treated as special categories of data
subject to additional protections (Article
9).
• Member States retain the right to “gold
plate” GDPR requirements for these data
categories (Article 9(5).
• Controllers require lawful ground to
process – broadly the same as under the
Directive
Lawful grounds for processing (Article 9)
• with explicit consent; or
• necessary for [providing medical care]; or
• necessary for reasons of public interest in
the area of public health [e.g. protecting
against epidemics]; or
• Necessary for … scientific and historical
research purposes or statistical purposes
based on law which shall be proportionate
to the aim pursued, respect data
protection rights and safeguard
fundamental rights [the “scientific
research” ground]
27. |
Implications for wearables and connected health
2 February, 2016Data protection issues in the context of wearables27
• Consenting challenges – consent is still
the gold standard for lawful processing but
there are challenges with wearables with
smaller / no GUI and a higher standard for
consent under GDPR. Contrast consent
mechanic for clinical trial v. consenting on
app download
• Purpose limitation challenges – much
stricter proposals dropped. Further
processing for scientific purposes is
permitted so long as the framework for
safeguards around scientific research is
complied with. Significant “win” for
scientific research community
New safeguards:
• Requirement for “data protection by
design and by default” e.g. data
minimisation and anonymisation.
• Mandatory data protection impact
assessments for higher risk processing
(limited exemptions)
More paperwork required:
• New rules for processing contract terms,
policies and comprehensive record
keeping.
New rights for individuals – though some
exceptions where processing for scientific
research
28. |
Takeaways
2 February, 2016Data protection issues in the context of wearables28
• GDPR has largely been welcomed by the
scientific community, though partly on the
basis that it could have been much worse
• Connected health use cases using
wearables and mobile applications are still
feasible under GDPR but with the scale of
fines proposed, full compliance is a must
• This is a particular challenge for many of
the smaller innovators in eHealth and
mHealth who do not have the same
resources as large pharma and healthcare
providers
• Review current processing practices and
supply chain
• Justify and plan for transparency and
consent
• Keep data to an absolute minimum; never
collect personal data where annonymised
or pseudonimsed data will suffice
• Focus on your supply chain – you need to
ensure end to end compliance
• Assume data breach is going to happen –
regularly – and build incident response
governance teams and governance now.
Test them
29. Thank you for listening
Olswang:
Changing Business.
www.olswang.com
Ross McKean / Partner / Head of Data Protection
+44 (0)20 7067 3378
ross,mckean@olswang.com
Brussels
+32 2 647 4772
London
+44 20 7067 3000
Madrid
+34 91 187 1920
Munich
+49 89 206 028 400
Singapore
+65 6720 8278
Paris
+33 17 091 8720
Thames Valley
+44 20 7071 7300
***
***