EMMA’s EMEA Regional Director Joseph Yammine explains how the EU’s General Data Protection Regulation applies to the Health Care Industry and how you can prepare your team to follow the regulation and avoid any data breaches.

1. www.emmainternational.com
GDPR in
Healthcare Industry
Need, Strategy, Implementation and
continuous monitoring
Joseph Yammine, EMEA Director
Joseph.Yammine@emmainternational.com

2. Leaders in Compliance
Consulting and
Enterprise Quality
Management Software
• EMMA International Consulting Group, Inc. is a global leader in
management consulting services, with headquarters in
Farmington Hills, MI, as well as offices in Grand Rapids, MI, FL,
PA, and Beirut, Lebanon. We focus on quality, regulatory, and
compliance services for the medical device industries.

3. Data, Data, Data, Data, …
• 1992 – 100 GB of data generated on daily basis
• 1997 – 100 GB of data generated on hourly basis
• 2002 – 100 GB of data generated on per second basis
• 2018 – 50,000 GB per second
90% of all the data in the world today has been created in the
past few years

4. Data, Data, Data, Data, …
2018
This is what happens in an
INTERNET MINUTE

5. Data, Data, Data and Data
According to the 2017 Ponemon Institute Study, What Is the Cost
of a Data Breach in the Healthcare Industry?
A. $2.2 Billion
B. $3.6 Billion
C. $4.0 Billion
D. $6.2 Billion
The Answer is D

6. Healthcare Data Breaches are Costly…
• When a healthcare organization experiences a breach, forensics costs
added up to $610,000.
• Breach notification costs $560,000 on average.
• Costs affiliated with lawsuits average $880,000.
• For each data breach, healthcare organizations average $3.7 million
in lost revenue.
• Healthcare organizations average $500,000 in lost brand value after
a breach.
• The average HIPAA settlement fine is approximately $1.1 million.
• Post-breach cleanup costs average $440,000.

7. Healthcare Data Breaches in Q3: 2018
• The first three months of 2018 have seen 77 healthcare data
breaches reported to the Department of Health and Human
Services’ Office for Civil Rights (OCR).
• Those breaches have impacted more than one million patients
and health plan members
• Almost twice the number of individuals that were impacted by healthcare data breaches in Q4, 2017.
• Between January 1 and March 31, 2018, 1,073,766 individuals had their PHI exposed, viewed, or stolen
compared to 520,141 individuals in Q4, 2017.

8. What we will cover today?
• What is personal data – and why it’s important for us
• What is Data Protection
• GDPR - what’s changing and what it’s all about
• GDPR Principles
• Who this will affect
• How to be ready
• What support is available

9. What we will cover today?

10. What is Personal Data?
• Personal data is defined as:
• Any information about a living individual which is capable of identifying
that individual.
• Sensitive personal data is defined as:
• Any information relating to an individual's racial or ethnic origin, political
opinions, religious beliefs, trade union membership, physical or mental health
or condition, sexual life, alleged or actual criminal activity and criminal
record.
Under GDPR sensitive personal data is referred to as “special categories of personal data”)

11. What is Personal Data?

12. What is Personal Data?
 Special Categories:
 Race / Ethnic origin
 Political opinions
 Religious or similar beliefs
 Union
 Physical / Mental health
 Sexual life
 Alleged / Actual offences / Information

13. What is Data Protection?
Data Protection is about avoiding harm to individuals by misusing or
mismanaging their personal data.
So if you collect, use, or store personal data then the Data Protection
Act applies to you. It sets out eight principles you have to adhere to,
which include:
• Only collect information for specific purposes and don’t then use it for other
purposes
• Only collect what you need for the specific purpose
• Keep it accurate and up to date; and safe and secure
• Process information lawfully and allow subject access in line with the Act.

14. What is GDPR?
It is the General Data Protection Regulation, which
supersedes the Data Protection Act on 25th May 2018. The
key changes from the current law are to strengthen rights
of individuals and place more obligations on organisations
in looking after personal data.
In order to comply with the new law:
• You must have a legitimate reason for processing data – this will cover
much processing we undertake (see later slide)
• Consent must be freely and unambiguously given and can be just as
easily withdrawn
• Data Processing activities must start with “privacy by design and default”.

15. What is GDPR?... continued
• Subject Access Requests – will include how you process and share data
not just what you hold and you’ll have less time to respond
• Subjects can request data deletion – “the right to be forgotten”, though
only in certain circumstances
• There will be mandatory breach reporting
• Data processors will be held liable
• You must be able to demonstrate compliance with GDPR
• While the ICO say it is a last resort, the potential fines are much greater
than at present – up to 4% of annual global turnover or €20m
• And finally – it’s happening regardless of Brexit!

16. Why the GDPR?
• We care - we are responsible for handling people’s most
personal information
• This is an opportunity to make privacy central to what we do
• By not handling personal data properly we could put
individuals at risk and the company / organization reputation
at stake
• Getting it wrong could result in significant fines
• We need robust systems and processes in place to make sure
we use personal information properly and comply

17. Who does this affect?
• All of us - we all have a responsibility to keep people’s
information safe; main industries are healthcare, banking and
educational organizations
• Particularly those involved in:
• Human Resources
• Research & Development
• Research involving personal data and/or human participants
• Finance
• Information Technology

18. Who does this affect?

19. GDPR Principles
• Lawfulness, fairness and transparency – as with Data Protection
• Purpose limitation – only collect for specific purposes and then don’t use it for other purposes
• Data minimisation – only collect the data you need for the purpose you are using it
• Accuracy – as now, keep it up to date!
• Storage limitation – don’t keep it for longer than you need to fulfil the purpose
• Integrity and confidentiality – keep it safe and secure e.g. encrypted if on a laptop or mobile
phone.
• Accountability – you must be able to prove you have complied with the above.

20. GDPR Principles
Examples of Processing
 Staff management and payroll administration
 Access to/consultation of a contacts database containing personal data
 Sending promotional emails
 Shredding documents containing personal data
 Posting a photo of a person on a website
 Storing IP addresses or MAC addresses
 Video recording (CCTV)

21. GDPR Principles
Subjects’ rights
 Confirmation of processing
 Purposes of processing
 Rectification
 Erasure (Right to be forgotten)
 Restriction of processing
 Portability
 Access to data

22. GDPR Stakeholders

23. Data Control Viewer

24. Data Control Viewer

25. Preparation for GDPR
1. Audit Data Usage
 What?
 Why?
 Where?
 Who?
 How

26. Preparation for GDPR
1. Audit Data Usage
 Legal Basis for processing personal data:
 Legal obligation
 Contract
 Consent
 Vital interests (of data subject)
 Necessary in public interest
 Legitimate interests (of the Controller

27. Preparation for GDPR
1. Audit Data Usage
 Data Security:
 Of paper records
 Physical access to data
 Locks / doors
 Security guards
 Etc.
 Technological security
 Firewall
 Anti-virus
 Software updates
 Etc.

28. Preparation for GDPR
1. Audit Data Usage
 Data Security:
 Data protection policy
 IT Security policy
 Breach procedure / Log
 Subject access request procedure
 Privacy notice(s) / collection notices (mandatory)
 Training programme and log
 Data protection impact assessments (mandatory)

29. Preparation for GDPR
1. Audit Data Usage
 Data Security: Check your contracts with data processors
 Contracts include data protection clauses
 Compliance with GPDR
 Security is up-to-date / in place
 Procedures and policies are to your satisfaction
 Will alert you to problems
 Right to audit?

30. Preparation for GDPR
2. Data Protection Officer
 Do you need one?
 Public authority or body
 Large scale processing operations which by their nature require
regular systematic monitoring of data subjects
 Core activities involves large scale processing of special categories
of personal data and data relating to criminal convictions and
offences
 The Role:
 To be involved in issues relating to protection of personal data
 Expert knowledge of data protection
 Not be instructed

31. Preparation for GDPR
2. Data Protection Officer
 Important Notes
 It’s all important!
 Security –
 IT / technology
 Physical
 Basis for processing
 Data protection impact assessments
 Breach notifications
 Subject access requests
 Register with the ICO (Information Commissioner)

32. Preparation for GDPR
3. Data Processing (Article 4.2)
 Collecting
 Recording
 Organising
 Structuring
 Storing
 Adapting
 Altering
 Retrieving
 Consulting
 Using
 Disclosing
 Disseminating
 Aligning or combining
 Restricting
 Erasing
 Destroying

33. Preparation for GDPR
3. Data Processing (Article 4.2)

34. Preparation for GDPR
4. Consenting Process
“the data subject has given consent to the processing of his or her
personal data for one or more specific purposes
 Consent
 must be freely given, specific, informed and unambiguous;
 by a statement or a clear affirmative action;
 cannot be inferred by silence, pre-ticked boxes or inactivity
 can be withdrawn and it must be easy to do so
 Processing of sensitive personal data requires “explicit consent”
 Records must be kept of how and when consent was given

35. Preparation for GDPR
5. Demonstrating Accountability
 Internal policies and procedures (data protection / retention policy; security and data breach; data subject rights)
 External privacy notice(s)
 Internal compliance measures and external controls
 Maintain records of data processing activities
 Steps when engaging data processors
 Undertake regular staff training
 Review and update policies and procedures on ongoing basis
 Internal audit of processing activities
 Appoint a Data Protection Officer (DPO), where appropriate.
 Data Protection Impact Assessments, where appropriate
 Data protection by design and by default

36. Preparation for GDPR
6. Data Breach Reporting
 Personal data breach – a security breach leading to “the accidental or unlawful destruction,
loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or
otherwise processed”
 Data controller must notify a personal data breach to the supervisory authority (DPC) within
72 hours of becoming aware of it.
 If notified later, must give reasons for the delay.
 Notification requires certain minimum information.
 In “high-risk” cases may have to inform affected individuals.
 Notification not required where the breach is unlikely to result in a risk to the rights of
individuals.
 Data controller must document any personal data breach, including the facts, its effects and
remedial action taken

37. What do I and my team need to do?

38. Key GDPR Take Away
 Requires a shift in culture and mindset about people’s data privacy
 It’s principles-based and risk-based
 Collecting, using and securing personal data has a cost
 Individuals have more control, with new and enhanced rights
 Privacy notices need more information and must be clear and concise
 Processing requires a legal basis and must comply with the 6 principles
 Data controllers must be able to demonstrate their accountability
 Review how you get, record and manage consent
 Data processor contracts and liability issues
 Decide if a DPO required, and document this. At minimum, appoint a lead.
 Be aware of increased regulatory sanctions and powers.
 Review your IT systems and security
 Everyone needs a data breach plan

39. Thank You
For further information, please do not hesitate to contact us
Joseph.Yammine@emmainternational.com

40. Farmington Hills, MI:
Headquarters
27600 Farmington Rd., Suite 100
Farmington Hills, MI 48334
Phone (248) 987-4497
York, PA:
320 Busser Road.,
Suite 200
Emigsville, PA 17318
Phone (717) 429-6875
Clearwater, FL:
28870 US HWY 19 North,
Suite 300
Clearwater, FL 33761
Phone (727) 614-8851
Lebanon
7TH Floor, Le Mall Building,
Dbayeh Highway, Northern Metn,
Lebanon
Grand Rapids, MI:
250 Monroe NW Suite 400
Grand Rapids, MI 49503
(616) 219-0510