EMMA’s EMEA Regional Director Joseph Yammine explains how the EU’s General Data Protection Regulation applies to the Health Care Industry and how you can prepare your team to follow the regulation and avoid any data breaches.
2. Leaders in Compliance
Consulting and
Enterprise Quality
Management Software
• EMMA International Consulting Group, Inc. is a global leader in
management consulting services, with headquarters in
Farmington Hills, MI, as well as offices in Grand Rapids, MI, FL,
PA, and Beirut, Lebanon. We focus on quality, regulatory, and
compliance services for the medical device industries.
3. Data, Data, Data, Data, …
• 1992 – 100 GB of data generated on daily basis
• 1997 – 100 GB of data generated on hourly basis
• 2002 – 100 GB of data generated on per second basis
• 2018 – 50,000 GB per second
90% of all the data in the world today has been created in the
past few years
4. Data, Data, Data, Data, …
2018
This is what happens in an
INTERNET MINUTE
5. Data, Data, Data and Data
According to the 2017 Ponemon Institute Study, What Is the Cost
of a Data Breach in the Healthcare Industry?
A. $2.2 Billion
B. $3.6 Billion
C. $4.0 Billion
D. $6.2 Billion
The Answer is D
6. Healthcare Data Breaches are Costly…
• When a healthcare organization experiences a breach, forensics costs
added up to $610,000.
• Breach notification costs $560,000 on average.
• Costs affiliated with lawsuits average $880,000.
• For each data breach, healthcare organizations average $3.7 million
in lost revenue.
• Healthcare organizations average $500,000 in lost brand value after
a breach.
• The average HIPAA settlement fine is approximately $1.1 million.
• Post-breach cleanup costs average $440,000.
7. Healthcare Data Breaches in Q3: 2018
• The first three months of 2018 have seen 77 healthcare data
breaches reported to the Department of Health and Human
Services’ Office for Civil Rights (OCR).
• Those breaches have impacted more than one million patients
and health plan members
• Almost twice the number of individuals that were impacted by healthcare data breaches in Q4, 2017.
• Between January 1 and March 31, 2018, 1,073,766 individuals had their PHI exposed, viewed, or stolen
compared to 520,141 individuals in Q4, 2017.
8. What we will cover today?
• What is personal data – and why it’s important for us
• What is Data Protection
• GDPR - what’s changing and what it’s all about
• GDPR Principles
• Who this will affect
• How to be ready
• What support is available
10. What is Personal Data?
• Personal data is defined as:
• Any information about a living individual which is capable of identifying
that individual.
• Sensitive personal data is defined as:
• Any information relating to an individual's racial or ethnic origin, political
opinions, religious beliefs, trade union membership, physical or mental health
or condition, sexual life, alleged or actual criminal activity and criminal
record.
Under GDPR sensitive personal data is referred to as “special categories of personal data”)
12. What is Personal Data?
Special Categories:
Race / Ethnic origin
Political opinions
Religious or similar beliefs
Union
Physical / Mental health
Sexual life
Alleged / Actual offences / Information
13. What is Data Protection?
Data Protection is about avoiding harm to individuals by misusing or
mismanaging their personal data.
So if you collect, use, or store personal data then the Data Protection
Act applies to you. It sets out eight principles you have to adhere to,
which include:
• Only collect information for specific purposes and don’t then use it for other
purposes
• Only collect what you need for the specific purpose
• Keep it accurate and up to date; and safe and secure
• Process information lawfully and allow subject access in line with the Act.
14. What is GDPR?
It is the General Data Protection Regulation, which
supersedes the Data Protection Act on 25th May 2018. The
key changes from the current law are to strengthen rights
of individuals and place more obligations on organisations
in looking after personal data.
In order to comply with the new law:
• You must have a legitimate reason for processing data – this will cover
much processing we undertake (see later slide)
• Consent must be freely and unambiguously given and can be just as
easily withdrawn
• Data Processing activities must start with “privacy by design and default”.
15. What is GDPR?... continued
• Subject Access Requests – will include how you process and share data
not just what you hold and you’ll have less time to respond
• Subjects can request data deletion – “the right to be forgotten”, though
only in certain circumstances
• There will be mandatory breach reporting
• Data processors will be held liable
• You must be able to demonstrate compliance with GDPR
• While the ICO say it is a last resort, the potential fines are much greater
than at present – up to 4% of annual global turnover or €20m
• And finally – it’s happening regardless of Brexit!
16. Why the GDPR?
• We care - we are responsible for handling people’s most
personal information
• This is an opportunity to make privacy central to what we do
• By not handling personal data properly we could put
individuals at risk and the company / organization reputation
at stake
• Getting it wrong could result in significant fines
• We need robust systems and processes in place to make sure
we use personal information properly and comply
17. Who does this affect?
• All of us - we all have a responsibility to keep people’s
information safe; main industries are healthcare, banking and
educational organizations
• Particularly those involved in:
• Human Resources
• Research & Development
• Research involving personal data and/or human participants
• Finance
• Information Technology
19. GDPR Principles
• Lawfulness, fairness and transparency – as with Data Protection
• Purpose limitation – only collect for specific purposes and then don’t use it for other purposes
• Data minimisation – only collect the data you need for the purpose you are using it
• Accuracy – as now, keep it up to date!
• Storage limitation – don’t keep it for longer than you need to fulfil the purpose
• Integrity and confidentiality – keep it safe and secure e.g. encrypted if on a laptop or mobile
phone.
• Accountability – you must be able to prove you have complied with the above.
20. GDPR Principles
Examples of Processing
Staff management and payroll administration
Access to/consultation of a contacts database containing personal data
Sending promotional emails
Shredding documents containing personal data
Posting a photo of a person on a website
Storing IP addresses or MAC addresses
Video recording (CCTV)
21. GDPR Principles
Subjects’ rights
Confirmation of processing
Purposes of processing
Rectification
Erasure (Right to be forgotten)
Restriction of processing
Portability
Access to data
26. Preparation for GDPR
1. Audit Data Usage
Legal Basis for processing personal data:
Legal obligation
Contract
Consent
Vital interests (of data subject)
Necessary in public interest
Legitimate interests (of the Controller
27. Preparation for GDPR
1. Audit Data Usage
Data Security:
Of paper records
Physical access to data
Locks / doors
Security guards
Etc.
Technological security
Firewall
Anti-virus
Software updates
Etc.
28. Preparation for GDPR
1. Audit Data Usage
Data Security:
Data protection policy
IT Security policy
Breach procedure / Log
Subject access request procedure
Privacy notice(s) / collection notices (mandatory)
Training programme and log
Data protection impact assessments (mandatory)
29. Preparation for GDPR
1. Audit Data Usage
Data Security: Check your contracts with data processors
Contracts include data protection clauses
Compliance with GPDR
Security is up-to-date / in place
Procedures and policies are to your satisfaction
Will alert you to problems
Right to audit?
30. Preparation for GDPR
2. Data Protection Officer
Do you need one?
Public authority or body
Large scale processing operations which by their nature require
regular systematic monitoring of data subjects
Core activities involves large scale processing of special categories
of personal data and data relating to criminal convictions and
offences
The Role:
To be involved in issues relating to protection of personal data
Expert knowledge of data protection
Not be instructed
31. Preparation for GDPR
2. Data Protection Officer
Important Notes
It’s all important!
Security –
IT / technology
Physical
Basis for processing
Data protection impact assessments
Breach notifications
Subject access requests
Register with the ICO (Information Commissioner)
34. Preparation for GDPR
4. Consenting Process
“the data subject has given consent to the processing of his or her
personal data for one or more specific purposes
Consent
must be freely given, specific, informed and unambiguous;
by a statement or a clear affirmative action;
cannot be inferred by silence, pre-ticked boxes or inactivity
can be withdrawn and it must be easy to do so
Processing of sensitive personal data requires “explicit consent”
Records must be kept of how and when consent was given
35. Preparation for GDPR
5. Demonstrating Accountability
Internal policies and procedures (data protection / retention policy; security and data breach; data subject rights)
External privacy notice(s)
Internal compliance measures and external controls
Maintain records of data processing activities
Steps when engaging data processors
Undertake regular staff training
Review and update policies and procedures on ongoing basis
Internal audit of processing activities
Appoint a Data Protection Officer (DPO), where appropriate.
Data Protection Impact Assessments, where appropriate
Data protection by design and by default
36. Preparation for GDPR
6. Data Breach Reporting
Personal data breach – a security breach leading to “the accidental or unlawful destruction,
loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or
otherwise processed”
Data controller must notify a personal data breach to the supervisory authority (DPC) within
72 hours of becoming aware of it.
If notified later, must give reasons for the delay.
Notification requires certain minimum information.
In “high-risk” cases may have to inform affected individuals.
Notification not required where the breach is unlikely to result in a risk to the rights of
individuals.
Data controller must document any personal data breach, including the facts, its effects and
remedial action taken
38. Key GDPR Take Away
Requires a shift in culture and mindset about people’s data privacy
It’s principles-based and risk-based
Collecting, using and securing personal data has a cost
Individuals have more control, with new and enhanced rights
Privacy notices need more information and must be clear and concise
Processing requires a legal basis and must comply with the 6 principles
Data controllers must be able to demonstrate their accountability
Review how you get, record and manage consent
Data processor contracts and liability issues
Decide if a DPO required, and document this. At minimum, appoint a lead.
Be aware of increased regulatory sanctions and powers.
Review your IT systems and security
Everyone needs a data breach plan
39. Thank You
For further information, please do not hesitate to contact us
Joseph.Yammine@emmainternational.com
40. Farmington Hills, MI:
Headquarters
27600 Farmington Rd., Suite 100
Farmington Hills, MI 48334
Phone (248) 987-4497
York, PA:
320 Busser Road.,
Suite 200
Emigsville, PA 17318
Phone (717) 429-6875
Clearwater, FL:
28870 US HWY 19 North,
Suite 300
Clearwater, FL 33761
Phone (727) 614-8851
Lebanon
7TH Floor, Le Mall Building,
Dbayeh Highway, Northern Metn,
Lebanon
Grand Rapids, MI:
250 Monroe NW Suite 400
Grand Rapids, MI 49503
(616) 219-0510
Editor's Notes
A Quick reminder - What is personal data?
This often causes confusion – often people think it is simply a name and address.
The law defines personal data as - Any information about a living individual which is capable of identifying that individual.
The law additionally defines an extra data set which need more and better protection - Sensitive personal data
And that is - Any information relating to an individual's racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health or condition, sexual life, alleged or actual criminal activity and criminal record.
It doesn’t matter if that data is already in the public domain – you still have to comply with the DPA in the way in which you collect, use and store it.
GDPR stretches this further and for example says that an IP address can be personal data – for the less technical among us (and that includes me) an IP address is Internet Protocol address and it is used to identify computers communicating via the internet. So if you’ve ever wondered why the ads around web pages you view are so closely related to what you recently searched for (a new sofa, flights to Italy….). Of course they may be related to what another family member has been searching for….
In summary – the definition is far broader than “name and address”.
Name and surname
Home address
Email address such as name.surname@company.com
Identification card number
Location data (i.e., the location data function on a mobile #)
Internet Protocol (IP) address: 10.10.103.456
Cookie ID*
The advertising identifier of your phone
Data held by a hospital or doctor, which could be a symbol that uniquely identifies a person
So, a quick re-cap of the Data Protection Act –
Data Protection is about preventing harm to individuals by misusing or failing to look after their personal data. It applies to ALL organisations in the UK through the Data Protection Act (DPA).
So, if you collect, use, store personal data then the law applies to you.
There are eight governing principles but I have summarised them here as:
Only collect personal data for specific purposes and then only use it for those purposes. Collect just the data you need for the purpose and keep it accurate and up to date; and don’t keep it for longer than is necessary for the completion of the purpose for which it was collected. You will need consent from data subjects to process their data. You will also have to register with the Information Commissioner’s Office (ICO) as a data controller – whether you know it or not you already have ! Typically dioceses have registered in the name of the DBF; Bishops in the name of the Bishop in his or her corporate capacity and Cathedrals, the Dean and Chapter. This is a public register – you can search it via the ICOKeep the data securely whether paper or electronic. Avoid storing it outside the European Economic Area – might be an issue if your electronic data is in the cloud.
Finally, be aware of the rights of subjects to access certain data you hold about them through a Subject Access Request (SAR). Note that this does NOT necessarily mean that they can see everything you hold about them – seek advice from your registrar whenever you get a SAR.
The GDPR is the most significant overhaul of data protection law in 20 years.
The GDPR replaces the Data Protection Directive (Directive 95/46/EC) and thus the DPA 1998 and subordinate legislation under it.
The GDPR came into force on 24 May 2016. However, due to its two-year implementation period, the GDPR will only be applicable from 25 May 2018.
Builds on existing data protection rules and principles, with significant changes - increased compliance obligations for businesses and organisations - new and enhanced rights for individuals - increased regulatory powers and sanctions - Privacy by design and default
173 Recitals (not having force of law)
11 Chapters
99 Articles (having full force of law)
Human Resources: All function including screening, recruitment, employment, healthcare management, assessment, personnel, etc.
The law requires that in certain circumstances organisations must have a named Data Protection Officer (DPO). One of these is where there is large scale processing of “special categories of personal data”.
The DPO has an education and compliance role regarding GDPR and is the first point of contact for the wider world. They must report to a senior level in the organisation and be independent – so similar to Internal Audit.
First of all don’t panic!
If you are complying with the Data Protection Act then you are well on the way to GDPR compliance – few steps are needed!
Secondly, dust off your departmental Information Directory (which was compiled a few years ago
Lists all the sensitive and confidential data you hold
Check that it is up to date
The Records Management team will be in touch in the new year to start working through what you and your team will need to do to prepare for GDPR compliance.