By An-Chan Phung
The General Data Protection Regulation (GDPR), an EU regulation on data protection and privacy that was adopted on April 27, 2016, will become enforceable on May 25, 2018. “The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world,” according to GDPR.org. The regulation gives individuals whose personal identifying information might be collected and used in certain businesses more control over what information can be seen and stored and how it can be used. GDPR.org notes that personal data is defined as “any information related to a natural person or ‘Data Subject,’ that can be used to directly or indirectly identify the person.”
It should be noted that although GDPR is new, the DPA (Data Protection Act of 1998) has been around for 20 years, and the GDPR principals are based on the DPA. Therefore, none of these concepts are new. However, GDPR brings much more severe penalties and much stronger guidance on how these principals are applied to an organisation. Under the new GDPR regulation, individuals will have the right to know whether their personal data is being used and for what purpose, the right to obtain digital copies of their data free of charge, and the right to withdraw consent for their data to be used and/or to have their data erased or removed in certain cases.
“The EU’s data protection laws have long been regarded as a gold standard all over the world,” according to the European Data Protection Supervisor, the EU’s independent data protection authority. “Over the last 25 years, technology has transformed our lives in ways nobody could have imagined.”
One area that will be deeply impacted by GDPR is healthcare. With so much patient data in hospitals and health systems, from billing to diagnostics to medical history, healthcare will be heavily impacted by GDPR. And the consequences for noncompliance with the regulation once May 25 rolls around are steep. Organisations can be fined up to 4% of annual global turnover for the most serious infringements, such as “not having sufficient customer consent to process data,” but even less serious breaches such as “not having their records in order, not notifying the supervising authority and data subject about a breach, or not conducting impact assessment” can incur a fine up to 2%, according to GDPR.org.
There are also plenty of businesses outside healthcare that will be impacted as well. Consider, for example, a 2015 case in which wireless phone service company T-Mobile was “notified by Experian, the outfit that processes its credit applications, that they have experienced a data breach that affected people who have applied for device financing through the carrier.” Experian then put aside $20 million to cover costs related to the breach – costs that included “notifying impacted individuals, offering them free credit monitoring services and informing the appropriate government agencies of the intrusion.” One could estimate how much Experian and T-Mobile would have been penalized in this example, had the regulation been in place at the time, by calculating a 4% fine on Experian’s global turnover for 2015. For a company that manages “data on 890 million people and 103 million businesses around the world,” one can assume that number would be quite high.
Master Data Management (MDM) for Data Consent
As organisations ramp up for GDPR compliance, it’s important to choose a robust and secure MDM solution that’s right for your organisation. MDM can support GDPR in several ways.
Maintaining GDPR compliance will be difficult for an organisation that has fragmented patient data spread across various departments within the organisation. GDPR makes it more important than ever to create a reliable, complete, “golden record,” of each patient – one that pulls together disparate data from billing, diagnostics, ER, imaging, etc. Only when each patient’s records are whole and complete can an organisation be sure that the data are not being shared in ways the patient has not consented to under the new GDPR rules. Once such golden records are created via MDM, it will be easier to ensure GDPR compliance in many scenarios, including:
- If a parent or lawful guardian must be identified, as consent for children must be explicitly captured and managed
- If an individual changes address, last name, or other identifying information
- If an individual would like to withdraw consent
Yet despite any organisation’s best efforts, companies may inadvertently find themselves in a situation in which a data breach occurs. In this case, MDM can help the organisation to rectify the situation and get the data back under control and in compliance quickly. In the event of a data breach, all data records pertaining to the individual must be identified, both to determine the extent of the breach and to support any requests from government to show full GDPR compliance. Such requests will be handled quickly and seamlessly if a robust MDM platform is in place.