In May 2018, the European Union introduced the General Data Protection Regulation, also known as GDPR, which has transformed European data security. GDPR is a legal framework that establishes guidelines for websites on the Internet and how they collect and process personal information.
GDPR was implemented in response to companies collecting large amounts of data to potentially profile customers. GDPR builds off of the principle of the “right to be forgotten,” which in the Internet era often refers to unsavory information or images of an individual on a website or in search results. In 2012, the EU introduced Article 12 of the Directive 95/46/EC. The following excerpt is from Wikipedia:
“To exercise the right to be forgotten and request removal from a search engine, one must complete a form through the search engine’s website. Google’s removal request process requires the applicant to identify their country of residence, personal information, a list of the URLs to be removed along with a short description of each one, and attachment of legal identification. The applicant receives an email from Google confirming the request but the request must be assessed before it is approved for removal. If the request is approved, searches using the individual’s name will no longer result in the content appearing in search results. The content remains online and is not erased. After a request is filled, their removals team reviews the request, weighing “the individual’s right to privacy against the public’s right to know”, deciding if the website is “inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes for which they were processed”. Google has formed an Advisory Council of various professors, lawyers, and government officials from around Europe to provide guidelines for these decisions. However, the review process is still a mystery to the general public. Guidelines set by EU regulators were not released until November 2014, but Google began to take action on this much sooner than that, allowing them to “shape interpretation to [their] own ends”. In May 2015, eighty academics called for more transparency from Google, in an open letter.”
By May of 2014, Google had removed over a million URLs, and in July of 2015, according to The Guardian, Google accidentally revealed that “95% of Google privacy requests are from citizens out to protect personal and private information – not criminals, politicians and public figures.”
Ultimately, the goal of GDPR is to simplify the regulatory environment for businesses and protect the personal data, privacy, and consent of EU citizens.
To be GDPR compliant means that your business must:
- Appoint a Data Protection Officer (DPO)
- Deliver a breach report, whether it be from human error, a cyber attack or anything else, to immediately notify all affected within 72 hours
- Ensure all website traffic and email lists gather and store personal information (name, photos, address, email address, and even IP address) under the terms of GDPR to protect from misuse. Even genetic and biometric data used to identify an individual is covered by GDPR
Who Exactly Does GDPR Apply to in the US?
The U.S. businesses that are most likely to fall under the GDPR’s scope are hospitality, travel, software services and e-commerce companies that draw traffic from countries in Europe. However, any U.S. company that has identified a market in an EU country or offers goods or services to EU citizens must be compliant. If you run re-marketing campaigns, for example, you may inadvertently be targeting European visitors. In this case, you’d need to be GDPR compliant.
I Run a Local Practice, Does This Concern Me?
Probably not at the moment, unless you’re targeting patients in Europe (or re-marketing, as noted in the last paragraph). However, you should be paying attention to the ever-evolving legal landscape, as US privacy laws may change in the coming years.
This is an opportunity to ensure that:
- Your website is fully secured with SSL
- Your email list consists of only patients who have willingly opt-ed in
- Your securely storing patient information (and not violating HIPAA law)
Does GDPR Have Any Correlation to HIPAA?
HIPAA law differs from GDPR, but there is some overlap. Ultimately, GDPR offers more far-reaching, broader coverage, businesses that use or disclose health information internationally need to understand the nuances of both HIPAA and GDPR. Details from the graph below are from iapp.org.
If you have any questions about GDPR or HIPAA and how they influence your practice then drop TRBO a note here or give us a call at 877-673-7096 x2.
*Disclaimer: TRBO ADvance is not a law firm and does not provide any legal advice. Your practice will need to consult your legal counsel for specifics on HIPAA, GDPR, AND patient privacy.