The European Union General Data Protection Regulation, commonly known as GRPR, can be challenging for any company. This is even more true for entities, particularly startups, operating in the field of health technologies and related services which involve processing of health-related personal data that falls under Article 9 GDPR - Special Categories of Personal Data. In order to avoid the possibility of heavy fines, compliance with GDPR must be addressed early and evaluated often.
We offer 6 practical tips below in order to get you off to a good start in establishing data protection and privacy practices that are in compliance with GDPR. Although this list of tips is by no means complete, it serves as a starting point from which to develop robust and effective data protection practices.
The key data processing principles under GDPR include (i) transparency, (ii) lawfulness, (iii) fairness, (iv) purpose limitation, (v) data minimization, (vi) accuracy, (vii) storage limitation, (viii) integrity and confidentiality and (ix) accountability.
Start by making sure that you understand what the key data processing principles actually mean in practice. National data protection authorities in EU member states and the European Data Protection Board (EDPB) have excellent introductory materials and guidelines which are a great place to start.
All companies should seriously consider having a specific person responsible for data protection matters. Companies that process health-related data, however, are required to nominate a data protection officer under Article 37.1 GDPR regardless of your role (whether you are a data controller or a processor).
The data protection officer is responsible for:
-monitoring compliance with data protection rules, highlighting possible deficiencies
- providing management and those employees processing personal data with information and advice concerning their duties under GDPR
- providing advice on carrying out a data protection impact assessment and monitoring its implementation
- serving as the contact person for data subjects in matters related to personal data processing
- acting as a point of contact for data protection authorities
The data protection officer must have sufficient time and resources available to carry these responsibilities and must be included in decision-making regarding all personal data processing.
In order to understand what is required under GDPR, you first need to understand certain definitions. For example, are you a data controller or a data processor? Can you be considered a joint controller?
A controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
A joint controller is a natural or legal person, public authority, agency or other body which together with another controller determines the purposes and means of the processing of personal data. Joint controllers must determine in a transparent manner their respective responsibilities for compliance with obligations under GDPR. This applies in particular to enabling data subjects to exercise their rights under GDPR and to the duties of joint controllers to provide relevant information to the data subjects.
A processor is a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.
A data processing agreement, or a similar binding legal act, must exist between the controller and processor. Joint controllers should have a clear agreement that defines their roles and responsibilities in their relationship and thus ensures that both will be able to fulfill their obligations.
In sum, understanding your role allows you to understand your obligations under GDPR and defines your relations with others.
Knowing the personal data that you process is your responsibility. Therefore, analyze and document the following carefully:
- What kind of personal data do you process and is it necessary for all of the data to be processed?
- What are your sources of data?
- What are your purposes for processing and how do you process the data?
- Who will access, process or use the data and how, and what is their role?
- How long will the data be stored?
- What is your legal basis for processing the data?
In terms of health-related personal data, Article 9 GDPR must always be assessed and its impact on the legal bases of processing considered. Health and other special categories of personal data may be processed only when certain conditions explicitly defined under Article 9 GDPR are fulfilled, which include:
- the data subject has given explicit and validly obtained consent to the processing of the personal data for one or more specified purposes
- processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services based on EU or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to by GDPR
- processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of EU or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy.
The more sensitive the personal data you process, the higher the requirements for technical and organizational measures to ensure security of the processing must be. Ensure that the security measures you implement are state-of-the-art and follow the rules of Data Protection by Design and by Default. Also consider using certified service-providers and having your own solutions certified.
Accountability means that the controller must be able to demonstrate its compliance with data protection legislation and this is a key principle of GDPR. The purpose of accountability is not only to evaluate compliance with statutory obligations but also to demonstrate how the controller respects the privacy of the data subjects. Implementation of accountability creates trust in data-processing and operations of the controller.
Documentation is an important part of accountability and, unfortunately, the required preparation will take time. Therefore, start documentation activities as early as possible and update regularly. Some key documentation especially for data controllers may include the following:
- a record of processing activities (Article 30 GDPR)
- rules and guidelines for applying data protection by design and by default in operations (Articles 5 and 25 GDPR)
- data protection policies (Article 24.2 GDPR)
- evaluation of the legal basis for the processing of health-related data under Article 9 GDPR
- the documentation related to consent, if the processing is based on consent (Articles 7 and 8 GDPR)
- the risk assessment documentation including safeguards implemented
- guidelines and processes in case of personal data breaches (Articles 33 and 34 GDPR)
- instructions for processors and personnel who process personal data
- documents for a Data Protection Impact Assessment (Article 35 GDPR) and prior consultation (Article 36 GDPR)
- data processing agreements and evaluation of data transfer practices (Article 28 GDPR).
Although the above list is created from the point of view of data controllers, the same considerations apply to processors, who are responsible for meeting their own requirements and for providing necessary support so that controllers can meet their obligations.
At first glance all of this information may appear overwhelming. Consider obtaining professional legal assistance to help you understand your obligations in more detail and to help you in prioritizing your to-do list. External professional legal assessment of data security and data protection measures also will demonstrate to your clients and investors that you are taking appropriate steps to comply with your obligations under GDPR.
It is also important to keep in mind that data protection and any policies, practices and processes must be continually updated and evaluated. Therefore, starting early will help you develop your own practices and processes so that they become a natural part of your business. Keeping yourself, and your data protection officer, up to date with the latest decisions, guidelines and recommendations of authorities is also highly recommended.
For more information on this topic, please register for our free webinar which will take place on Thursday 11 February 2021 at 15:30 CET using this link.