Starting from today, May 25th 2018, the new European Regulation on the Protection of Personal Data (GDPR), enters into force. Technically, it stepped in 2 years ago, but only from today, it will be mandatory for companies offering services to EU citizens.
In the last days we have witnessed panic attacks between those businesses that were unprepared on the subject, and given the widespread of misinformation, they dealt with it by sending emails and doing last-minute patches to legal docs.
With this brief post, we would like to summarize some of the key points to keep in mind that are relevant, especially, for Digital Health companies.
The key points for Digital Health companies
In the previously linked document and resources are listed and explained these key points:
Health Data: try to check if you are really collecting health data. No health data means less obligations and risks.
How, why and to whom to demonstrate compliance: healthcare has many stakeholders who you need to sell or talk to. All of them will ask you about data privacy. Many of them don't know what a good answer looks like, so be prepared more than anyone else.
The Consent: it's the fundamental step before collecting any data, especially health. Check more here.
Data Protection Impact Assessment - DPIA: GDPR is risk-based. DPIA helps you to figure out risks and demonstrate that you have done work.
Data Protection Officer - DPO: Even health startups may need a DPO. Check with multiple specialists because DPO can be costly.
Data Security and other technical obligations: old and obvious things (e.g. encryption, pseudonymization, anonymization), just refreshed and having different meanings and legal consequences under GDPR.
Contracts with Data Processors and Partners: if your cloud tools are not compliant, then you are not too. Using "normal" tools and databases in the cloud for health data and apps is one of the major mistakes.
Check other regulations: GDPR is General... To ensure compliance with your health data and apps you must comply also with specific (sometimes national) security regulations and guidelines.
Pay attention to false info: there is huge misinformation also among experts. Some of them sell non-existing things like GDPR certifications. Currently, there is no such thing as GDPR certification out there. You can only get consultancy to help you to * self-claim that you are GDPR compliant*.
Don't Panic!: you can turn challenges into opportunities. GDPR is a great thing to demonstrate your users, customers, partners that you have a great business model that doesn't rely on violating users' privacy, which is a fundamental right, like freedom.
You can find this information in more details here:
- Our GDPR page and other info on website and this Blog
- Our eBook on health app compliance
- Our eBooks and other content written for Healthware International and Digital Health Italia
For any questions or further details don't hesitate to contact us.