What happens now that US Organizations who thought they were off the GDPR hook, are so on it.
The onset of the GDPR, at first glance, seemed straightforward. Are you in the EU? Do you employ or do business with anyone in the EU? No? All good on personal data privacy. Except that your one-time, at-a-glance, high level assessment won’t hold up. Blame the GDPR’s broad definition of personal data. And realize that Europeans are far more guarded of their personal data privacy than the US, at a very granular level. Beyond health or financial information, or minor’s personal information, the GDPR goes far deeper.
Examples of GDPR-defined personal data
- Work email address
- Political party
- Religious beliefs
- Racial or ethnic information
GDPR defines “personal data” as:
Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
There are also two important functional roles defined under the GDPR: the Data Controller and the Data Processor. A data processor is defined as someone who processes data on behalf of the data controller. That may be a company providing a 3rd party software or platform that stores data. The data controller is the entity that collects the data, such as a health plan collecting member data or a bank collecting customer data.
So how does a US organization, particularly one typically highly adherent to strict compliance standards deal with the GDPR? A company that has attained certification through HITRUST or SOC2 likely feels fairly confident of being able to meet the GDPR’s requirements. Unfortunately, one does not equal the other.
6 Actions You Can Take to Support GDPR Compliance
- Be sure that your Security Risk Analysis encompasses all “personal data” as defined under the GDPR, not just PHI and PII. Remember location data counts, too! If you’re a data controller, you’ll also need to look at impact assessments that relate to GDPR-defined personal data.
- Check that your 3rd party data processor is approved by the data controller. PHI that falls into the GDPR personal data category can only be used and disclosed on instruction from the data controller. That means that what typically would be ok use by a Business Associate under HIPAA isn’t if the data is defined as “personal data” under GDPR.
- Appoint your EU-based representative and designate a Data Protection Officer. This is a major point of compliance with the GDPR. The DPO’s contact info must be publicly published as well as formally shared with the EU’s Privacy Commissioners.
- Be sure you’re authorized to engage in data flow transfers that relate to the individuals, or “natural persons” under the GDPR regs. Validate under your operations management contract that the data transfer is necessary and authorized.
- Modify your security incident response plan to include the GDPR breach notification guidelines. Under the GDPR, data controllers only have 72 hours from the breach discovery to notify the EU Data Protection Authorities. Be sure to test your ability to comply with the requirement.
- Prominently display your privacy practices and the privacy rights of individuals to conform with the GDPR. Individual privacy rights include access to data collected, ability to correct that data, how they can restrict the processing of the data, even to require that you erase the personal data.
Under the GDPR, US companies who discover from their data analysis that they deal with personal data of any kind from people who live in the EU (even non-EU citizens), must comply with its requirements. The cost of non-compliance is huge – up to 20,000,000 EUR. For US healthcare organizations who still struggle to meet HIPAA requirements over two decades after its enactment, the GDPR may well mean that they simply choose not to do business with EU residents.
Are you contemplating how to comply with the GDPR? Contact Apgar & Associates for a data inventory and risk assessment: 503-384-2538.