Steps to Take to Make a Website GDPR Compliant

If you have a website that can be accessed by EU residents it is likely that you will have make your website GDPR compliant. If you have yet to do so, you could potentially face a substantial fine as the General Data Protection Regulation compliance date was May 25, 2018.

The main purpose of GDPR is to protect the rights and freedoms of EU residents and to give them more control over their personal data, no matter where personal data is collected or processed.

Over the past two years, many businesses have been learning about how GDPR affects websites and websites owners have made changes to ensure their sites are compliant. However, some businesses are unsure how to make a website GDPR compliant and others have ignored GDPR requirements entirely.

Site owners that fail to make a website GDPR compliant can face stiff financial penalties. The penalty for noncompliance with GDPR is up to €20 million or 4% of global annual turnover (whichever is greater) so noncompliance really isn’t an option.

How to Make a Website GDPR Compliant

One of the main requirements to make a website GDPR compliant is to tackle the issue of consent. Information cannot be collected and processed unless consent has been obtained.

While most website owners explain in a privacy policy about information that is collected and how it is processed, under GDPR that is not sufficient. It is no longer possible to state that continued use of the website constitutes consent and agreement with the site’s privacy policy.

Consent must now be explicitly obtained through a clear, decisive action. If your website does not collect any personal data (including IP addresses) and does not use cookies and you do not have contact forms or newsletters, you will not have to do anything to be GDPR compliant. All other sites will need to obtain consent.

Under GDPR it is not acceptable to use pre-checked boxes when obtaining consent to collect and process personal data. Users must provide clear consent and if checkboxes are used, they must be manually checked by users.

Consent forms should be clear and explain the data that is collected and how it is used in easy-to-understand language. Website visitors must be informed how long their personal data will be retained, and the classes of individuals with whom the information will be shared. The exact types of data that will be collected through use of the website must be explained and if the website uses cookies to achieve that.

Website owners must make a decision about the types of data they collect and whether that information is necessary in order to perform the task for which the information is being collected. Any data collected or processed should be limited to the minimum necessary amount to achieve the purpose for which it is collected. GDPR also requires all personal data to be secured, so data encryption should be considered.

If you use any kind of analytics program on your website, Google Analytics for example, it is your responsibility to ensure it is compliant. Google has taken care of its side, but it is the responsibility of all website owners to ensure analytics programs meet GDPR requirements. If tracking data is collected that allows an individual to be identified – by their IP address for example – consent must be obtained.

It is important that website visitors can get in touch with a site owner to exercise their GDPR rights and freedoms, so all contact information needs to be up to date. It must be easy for visitors to make contact should they wish to exercise their right to be forgotten, request a copy of any data that is collected and processed, and check their personal data for accuracy.

In the event that a website visitor chooses to be forgotten, it is useful to have a mechanism in place that allows that to happen automatically via the website. Manually completing such a task will be time consuming, especially if multiple requests are received.

It is the responsibility of all website owners to familiarize themselves with GDPR Rules and make their websites GDPR compliant. If you own or operate a website, read up on GDPR requirements, check to make sure consent is being obtained before personal data are collected and processed, ensure data subjects’ rights and freedoms are protected and honored, and make sure all personal data is stored securely.

You must also develop policies and procedures to identify and deal with data breaches. If a breach is experienced, the Supervisory Authority must be notified within 72 hours.

The post Steps to Take to Make a Website GDPR Compliant appeared first on HIPAA Journal.

How Do U.S. Companies Appoint a GDPR Lead Supervisory Authority?

Under GDPR, a Supervisory Authority is an independent public authority that is responsible for monitoring compliance with GDPR, helping organizations become compliant with GDPR, and enforcing compliance and conducting investigations. The supervisory authority is the entity that must be notified in the event of a breach of personal data of data subjects.

The Lead Supervisory Authority is the main data protection regulator and the entity that has primary responsibility for dealing with cross-border data processing. The main purpose of having a lead supervisory authority is that there is just one point of contact, such as when a business soperates in multiple EU member states. It is a one-stop shop for all matters related to GDPR.

For most companies, choosing a GDPR Lead Supervisory Authority is a straightforward decision. A company based in Paris, France would appoint the supervisory authority in France as the lead supervisory authority. A UK-based company would choose the Information Commissioner’s Office (ICO), which is the supervisory authority for the UK.

For companies that operate in multiple EU member states, the lead supervisory authority would normally be the supervisory authority in the country where the company’s headquarters is or where its main business location is in the EU. More specifically, it would be the Supervisory Authority in the country where the final decisions are made about data collection and processing.

A U.S. company that does not have a base in an EU member state has a problem. If it does not have a base in an EU member state where data procession decisions are made, it will not benefit from the one-stop-shop mechanism. Even if a company has a representative in an EU member state, that does not trigger the one-stop-shop mechanism.

The company must therefore deal with the supervisory authority in every member state where the company is active, through its local representative. There would not be any lead supervisory authority. Article 27 of GDPR details the requirement to appoint a local representative in an EU member state.

For some companies, especially those that operate in many EU member states, identifying the lead supervisory authority may not be straightforward. The Article 29 Data Protection Working Party has responded to confusion over the selection of an LSA by producing guidelines for identifying a controller or processor’s LSA. The guidelines can be downloaded on this link (PDF).

The post How Do U.S. Companies Appoint a GDPR Lead Supervisory Authority? appeared first on HIPAA Journal.

GDPR Data Breach Reporting Requirements

Healthcare organizations are required to report breaches of the personal data of GDPR data subjects, but what are the GDPR data breach reporting requirements?

Breaches of the Personal Data of EU Residents

Under GDPR, personal data is any information relating to an identified or identifiable data subject: Information that could, directly or indirectly, allow a person to be identified.

In Article 4 of the GDPR, a personal data breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

A data breach could be unauthorized access to a system containing personal data, theft of a device containing electronic personal data, or loss of physical or electronic data. Data corruption is also considered a data breach as is any other incident that affects the availability of personal data, such as a ransomware attack.

GDPR Data Breach Reporting Requirements

Data controllers and data processors must have robust data breach detection, investigation, and internal reporting procedures in place. A data processor must notify the data controller immediately if a data breach is suspected.

Under GDPR, if an employee discovers or suspects a data breach, it must be reported immediately to the Data Protection Officer (DPO) if the company has appointed a DPO, or to the data protection officer, privacy officer, or the security team if a DPO has not been appointed.

It is the responsibility of the DPO to report a breach to the supervisory authority. Companies that have not appointed a DPO will have to assign the responsibility for breach reporting to another individual. That individual will be the point of contact in the organization should the supervisory authority need further information about the breach.

The timescale for reporting data breaches under GDPR is far stricter than HIPAA, which allows up to 60 days for a breach to be reported. GDPR requires the supervisory authority to be notified of a data breach within 72 hours of the breach being discovered – See GDPR Article 33. A data breach must be reported unless there is unlikely to be a high risk to the rights and freedoms of data subjects.

Such a short time frame for reporting breaches means a breached entity is unlikely to have had time to investigate the breach thoroughly, so the information that can be provided to the supervisory authority at that early stage in the investigation is unlikely to be complete. It may therefore be necessary to provide breach information in stages.

GDPR Data Breach Reporting Requirements for Breach Notifications

The data breach report for the supervisory authority must contain the following information:

  • A description of the data breach
  • Categories of data subjects affected and the approximate number of individuals impacted
  • Categories and approximate number of data records affected
  • Contact details of the Data Protection Officer or other point of contact in the organization if a DPO has not been appointed
  • A description of the likely consequences of the data breach
  • A description of the steps being taken to mitigate the breach and limit adverse effects

If the 72-hour reporting deadline is missed, when the breach report is submitted it must be accompanied by a reason for the delay.

The data controller must maintain a record of all data personal data breaches, regardless of their severity, including the above information and any further action taken to address the breaches.

When Must Notifications Be Sent to Data Subjects?

Not all personal data breaches require personal notifications to be issued to affected data subjects. The requirement to send personal notifications is based on the level of risk to the rights and freedoms of data subjects. Following a data breach, a risk analysis must therefore be conducted.

If the risk analysis shows there is a high risk of the data breach adversely affecting data subjects, personal data breach notifications must be issued. Unlike HIPAA, there is no time limit for issuing these notifications per se. The notifications should be sent as soon as it is feasible to do so and without undue delay.

Data breach notifications must be written in clear language that would be understandable to a reasonable person and the personal breach notifications need to include the same categories of information as the notification for the supervisory authority.

Personal data breach notifications for data subjects are not required if any of the following conditions are met:

  • Steps have been taken to render the personal data inaccessible or unintelligible – encryption for example
  • Steps have been taken that ensure the high risk to the rights and freedoms of data subjects will no longer materialize – The remote deletion of data on a lost device, for example
  • If data breach notifications would “involve disproportionate effort.” In such cases, a public communication – such as a press release to a prominent media organization – could be issued

The supervisory authority may require the data controller to issue notifications to data subjects even if the data controller has determined there is not a high risk to the rights and freedoms of data subjects.

The GDPR data breach reporting requirements for personal notifications are detailed in Article 34 of the GDPR.

The post GDPR Data Breach Reporting Requirements appeared first on HIPAA Journal.

GDPR: What is the Role of the Data Protection Officer?

Many businesses required to comply with GDPR must appoint a Data Protection Officer, but what is the role of the Data Protection Officer and what types of companies are required to appoint a DPO?

The General Data Protection Regulation (GDPR) requires all companies that collect or process the personal data of EU residents to develop policies and procedures covering the collection, processing, and management of personal data of data subjects. GDPR also requires security controls to be implemented to ensure the confidentiality, integrity, and availability of personal data. The deadline for compliance with GDPR was May 25, 2018.

One requirement of GDPR is the appointment of a Data Protection Officer whose main role is to oversee compliance.

Does GDPR Require All Companies to Appoint a Data Protection Officer?

Article 37 of the GDPR explains the requirement for designating a Data Protection Officer in an organization. Generally speaking, large companies – those that employ more than 250 people – are required to appoint a Data Protection Officer. Smaller companies, those with fewer than 250 employees, may not be required to appoint a DPO, although that will depend on various factors, such as the amount of personal data that are processed, whether special category data are processed, and the nature of the business.

A Data Protection Officer must be appointed if processing is carried out by a public authority or body. A Data Protection Officer must also be appointed if the core activities of the controller or processor require regular systematic monitoring of data subjects on a large scale, or if core activities of a controller or processor consist of processing special categories of data on a large scale.

Any company that fails to appoint a Data Protection Officer must be able to demonstrate why they do not need to appoint a DPO. An internal analysis should be conducted and the decision not to appoint a DPO should be documented, including the reasons why. This document may need to be provided in the event of a compliance audit.

Who Can Be Appointed as A Data Protection Officer?

There is no requirement for a Data Protection Officer to have any specific qualifications, so it is not necessary to recruit a DPO externally. An existing member of staff can serve as an organization’s DPO, and a group of companies could appoint a single DPO, provided the DPO is easily accessible from each establishment.

The individual appointed as Data Protection Officer must have a significant amount of data protection experience and must be well versed in GDPR and understand its requirements in order for tasks to be performed effectively.

An employee can only be appointed as a Data Protection Officer if other duties in the company do not cause a conflict of interest. The DPO must be allowed to act independently without any influences. The DPO must report to the highest level of management at the data controller or processor and must be bound to secrecy about the performance of his or her tasks. A Data Protection Officer must be given sufficient resources to ensure it is possible for that individual to carry out his or her role effectively.

Further information on the position of the DPO can be found in GDPR Article 37.

What is the Role of the Data Protection Officer?

Article 38 of the GDPR covers the role of the Data Protection Officer. There are five essential tasks that must be performed by the Data Protection Officer.

  • The Data Protection Officer is required to inform and advise the controller or processor of their obligations under GDPR and also advise employees involved in the processing of personal data about GDPR requirements.
  • The Data Protection Officer must monitor compliance with the GDPR with respect to the protection of personal data and must raise awareness of responsibilities and train staff on processing operations.
  • Provide advice, as requested, on the data protection impact assessment and monitor its performance.
  • To cooperate with the supervisory authority
  • To act as a single point of contact in a company for the supervisory authority.

The role of the Data Protection Officer has been Summarized in the infographic below:

GDPR Data Protection Officer Duties

The post GDPR: What is the Role of the Data Protection Officer? appeared first on HIPAA Journal.

How Does GDPR Apply to Medical Devices?

The European Union’s General Data Protection Regulation came into force on May 25, 2018 and applies to healthcare providers who collect or process the personal data of data subjects residing in the EU, but how does GDPR apply to medical devices?

How Does GDPR Apply to Medical Devices?

Medical devices can collect a range of personal data – data that are considered ‘high risk’ with respect to the rights and freedoms of data subjects. As such, there are many aspects of GDPR that apply to medical devices.

Consent Must be Obtained

Prior to medical devices being used, it is important for consent to collect and process data to be obtained from the data subject. Explicit consent must be obtained, which means the data subject must freely give their specific, informed consent through a clear affirmative action. Any consent form must be written in clear and plain language that can be easily understood and the data subject must be made aware of the data that will be collected, how they will be used. See Article 7 of the GDPR.

Consent is especially important for ‘special category’ of personal data, such as health data, genetic data, and biometric data, which cannot be collected or processed without explicit consent. The processing of special category data is only permitted in certain circumstances, as detailed in Article 9 of the GDPR.

A Data Protection Impact Assessment Must be Conducted

The use of new technologies to process personal data calls for a Data Protection Impact Assessment (DPIA) to be conducted, with is also mandatory when special category data are processed.

The DPIA must include a systematic description of the processing operations, the purpose of that processing, an assessment of the necessity and proportionality of the processing operations in relation to the purposes, an assessment of the risks to the rights and freedoms of data subjects, and the measures that address those risks including the security controls, safeguards, and mechanisms to ensure the privacy of patients is protected and data subjects’ rights and freedoms have been taken into account. – See Article 35 of the GDPR

Personal Data Must be Secured

Any personal data collected or processed must be protected. Appropriate technological and organizational measures must be implemented to ensure a level of security appropriate to the level of risk. As with HIPAA, healthcare organizations must ensure the confidentiality, integrity, and availability of personal data. In the event of an emergency or technical issue, the healthcare provider must have the ability to be able to restore data.

Healthcare providers should routinely test, assess, and evaluate the effectiveness of their security controls. Any individual who has access to personal data must be trained and be made aware that they are prohibited from processing data except when instructed to do so by the data controller.

Healthcare providers must also encrypt personal data at rest or in transit, unless data are otherwise protected through pseudonymization and individuals cannot be identified from their data. Article 32 of the GDPR covers the security of processing.

Personal Data May Need to be Provided to Patients

Data subjects have the right to access their personal data (Article 15), and access information such as the purpose of data processing, the types of data collected and processed, with whom the data have been shared, the period of time that data will be stored.

Data subjects have the right to data portability, and upon request, must be provided with their data in a commonly used electronic format -See Article 20 of the GDPR. Data subjects can also exercise their right to be forgotten (Article 17) and have all personal data erased, or may request that all data processing stop (Article 19).

Notifications Must be Provided in the Event of a Data Breach

As with HIPAA-covered data, if a breach is experienced, notifications must be issued. In contrast to HIPAA, which allows up to 60 days to issue notifications, GDPR calls for the supervisory authority to be notified within 72 hours of the discovery of the breach. The breach notice must include the nature of the breach, the types of information likely to be involved, the contact information of the data protection officer, the likely consequences of the breach, and the measures being taken to address the breach – See Article 33 of the GDPR. Personal breach notifications, as detailed in Article 34, must be issued to breach victims when the incident is likely to result in a high risk to the rights and freedoms of breach victims. Personal breach notifications must be issued without undue delay.

Does HIPAA Compliance Mean Compliance with the GDPR?

Fortunately for U.S. healthcare providers, many of the requirements of GDPR will already have been satisfied if the organization is compliant with HIPAA. However, being compliant with HIPAA does not guarantee compliance with GDPR. HIPAA-covered entities must therefore conduct an in-depth assessment of their policies, procedures, and safeguards to ensure they meet the requirements of the GDPR.

The post How Does GDPR Apply to Medical Devices? appeared first on HIPAA Journal.

California Passes GDPR-Style Data Privacy Law

AB 375, the California Consumer Privacy Act of 2018, has been signed into law. The bill was signed by California governor Jerry Brown on Thursday after the state Senate and Assembly passed the bill unanimously.

California already has some of the strictest privacy laws in the United States. Under existing legislation, companies that experience a breach of personal information must notify affected individuals if their computerized data is exposed or stolen. This law takes privacy protections much further and gives state residents several new GDPR-style privacy rights, including:

  • The right to request information from businesses about the types of personal data that are collected and processed and the source of that information
  • Be informed about the purpose for collecting, using, and selling personal data
  • Categories of third parties with whom the information is shared
  • The right to request a copy of all personal information collected by a business
  • The right to have all personal information deleted on request
  • The right to request personal information is not sold
  • The right to initiate civil action if there has been a failure to protect an individual’s personal data

The law would also prohibit any business from discriminating against an individual who chooses to exercise the above rights, including charging such an individual more or providing a different quality of goods or services.

The Act also prohibits companies from selling the personal data of individuals between 13 and 16 years of age, unless authorized to through opting in. Individuals younger than 13 must have consent provided by a parent or legal guardian before personal information can be collected.

Businesses will be required to explain, at or before the collection of personal information, the categories of information that will be collected and the purpose for which that information is collected. Businesses will be prohibited from collecting more information than is stated in their consumer notices. Consumers must also be advised of the right to have their information deleted at the point of consent being obtained.

Businesses must place a clear link on the homepage of their websites titled “Do not Sell My Personal Information” which must direct the user to a webpage where they can opt out of the sale of their personal data.

The Act will not apply to protected health information collected by HIPAA-covered entities. “This act shall not apply to protected or health information that is collected by a covered entity governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56 of Division 1)) or governed by the privacy, security, and breach notification rules issued by the federal Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Availability Act of 1996.”

The California Consumer Privacy Act of 2018 has been criticized for being a rushed attempt to prevent a voter initiative that would’ve appeared on California ballots in November if the bill was not passed by 5pm on Thursday.

While the bill has been signed into law, the California Consumer Privacy Act of 2018 can be amended before its effective date of January 1, 2020.

The bill has been heavily criticized by the Internet Association, which has stated, “Data regulation policy is complex and impacts every sector of the economy, including the internet industry… That makes the lack of public discussion and process surrounding this far-reaching bill even more concerning.”

The Internet Association released a statement saying, “It is critical going forward that policymakers work to correct the inevitable, negative policy and compliance ramifications this last-minute deal will create for California’s consumers and businesses alike.”

The post California Passes GDPR-Style Data Privacy Law appeared first on HIPAA Journal.

GDPR Right to Access Personal Data

Healthcare organizations that market their services to residents in the EU or provide medical services to EU residents that requires the collection of their personal information are required to comply with the EU General Data Protection Regulation (GDPR).

One aspect of compliance that is of particular relevance to healthcare organizations is the GDPR right to access personal data. Any EU resident has the right to request access to all of their personal data and view any supplemental data attached to their file.

Data subjects are more likely to exercise this right with healthcare organizations that other organizations that hold their data as it is especially important that this information is correct. They may also require the data to pass on to other healthcare organizations.

The rights of data subjects with respect to subject access requests (SARs) are detailed in GDPR Article 15.

The GDPR Right to Access Personal Data

If a data subject chooses to exercise their GDPR right to access personal data, the request must be honored within 30 days.

The data subject is permitted to obtain confirmation about whether his or her personal data are being collected, used, and stored; the types of data involved; the reason for data processing; the categories of person with whom the data have been or will be disclosed; whether those data will be transferred to another country or an international organization; and the length of time that data will be processed or stored. The information can be provided in writing, verbally, or electronically.

Once the right to access has been exercised, other rights then apply, such as the right to request alteration of personal data, erasure of data, the right to be forgotten, and requests for restriction of the processing of personal data.

When copies of data are requested they must be provided and the entity that holds the data is not permitted to charge the data subject for providing access to the information.

If such a request is made electronically, the data must be provided in a commonly used electronic format – Office documents and PDF files for example.

While companies are not permitted to charge for access to personal data, reasonable fees can be charged for providing multiple copies. It is also permissible to request a reasonable fee if any request is deemed to be excessive, such as if a SAR is made too frequently.

Get Prepared for SARs

It is important for healthcare organizations to develop policies that will allow them to respond to SARs promptly. Healthcare organizations need to be aware of all locations where personal data are stored. In contrast to HIPAA, which requires copies of health information to be provided as a data set, all information stored will need to be provided on request.

In addition to being able to obtain those data, a mechanism must be developed that will allow the identity of a data subject to be verified. It is essential that a personal data file is only provided to a person authorized to receive it.

Noncompliance with GDPR

GDPR requirements have been enforceable since May 25, 2018. Any healthcare organization required to comply with GDPR can face massive financial penalties for noncompliance. The maximum penalty for noncompliance is €20 million or 4% of global annual turnover, whichever is the greater.

The post GDPR Right to Access Personal Data appeared first on HIPAA Journal.

What are the GDPR Rules for Recording Calls?

Many companies record telephone calls for ‘quality and training purposes’ and to help resolve customer disputes, but since May 25, 2018 GDPR Rules for recording calls must be followed.

GDPR Rules for Recording Calls

Any company, regardless of its location, must comply with GDPR Rules for recording calls if the company has dealings with EU residents.

Call recording can continue under GDPR, as recording telephone conversations is not prohibited, but there are now additional requirements to protect the rights and freedoms of data subjects under GDPR. As with the use of cookies on websites and other forms of data collection, it can only take place if the data subject gives their consent (GDPR Article 7).

Previously, in order to comply with existing regulations, companies would advise people that the calls may be recorded for a particular purpose and consent was obtained when the customer continued with the telephone call. The customer’s silence or lack of action was taken to mean that consent was being provided. However, GDPR Rules for recording telephone calls require consent to be provided by an affirmative action. Silence or inactivity is no longer sufficient.

An unambiguous action is now required, such as pressing a specific key on the telephone or providing verbal consent. A recording of consent should be retained by the company.

GDPR Rules for recording calls involve more than consent. The recording of telephone conversations is only possible if there is a valid and legal reason for that information to be collected.

For all companies, at least one of the following criteria must be met in addition to obtaining consent:

  • Recording is required to comply with a contract
  • Recording is required to satisfy legal requirements
  • Recording is required to protect the interests of one or more participants
  • Recording of calls is necessary for safety or is in the public interest
  • Recording is in the legitimate interests of the recorder, provided those interests are not overwritten by the interests of the participants in the calls.

Other GDPR Rules for recording calls are detailed below:

Data Protection Requirements

As with all other forms of data collection, call recordings must be stored securely and appropriate security controls applied to prevent stored call data from being accessed by unauthorized individuals. Organizations must conduct a risk analysis to determine the level of risk involved, and apply policies, physical, and technical safeguards to reduce risk to an acceptable level.

Data Retention Rules

Article 5 (e) of the GDPR explains that data can only be retained for the length of time that it is required to fulfil the purpose for which the data were collected. Recital 30 of the GDPR requires time limits to be applied for how long data can be retained. When call recordings are no longer required, data must be disposed of securely.

Right to Access Personal Data

Data subjects have the right to access their personal data (GDPR Article 15), which extends to recordings of telephone calls. If a request is received from a data subject to access their personal data, it is necessary to comply with that request within 30 days. A company must therefore have the ability to be able to search for call recordings and provide copies as necessary.

Right to be Forgotten

A mechanism must be implemented that allows all personal data of an EU subject to be deleted if a request to do so is received from a data subject (GDPR Article 17). When an EU resident exercises their right to be forgotten, all data – including call recordings – must also be deleted, provided that the deletion of such information does not violate state or federal laws and the data are no longer necessary for the purpose for which the information was originally collected. The right to erasure similarly doesn’t apply for the establishment, exercise or defense of legal claims, for archiving purposes in the public interest, or to exercise the right of freedom of expression and information.

If GDPR Rules for recording calls are not followed, stiff financial penalties can be issued. The maximum fine is €20 million or 4% of global annual turnover, whichever is the greater.

The post What are the GDPR Rules for Recording Calls? appeared first on HIPAA Journal.

A Third of Healthcare Organizations Expected to Miss GDPR Deadline

Healthcare organizations that treat patients from the EU or target EU residents and collect their data are required to comply with the EU’s General Data Protection Regulation.

The EU regulation came into force on May 25, 2018. Any healthcare organization that is required to comply with GDPR and fails to do so faces a substantial financial penalty for noncompliance.

The fines for noncompliance with GDPR are far in excess of those for HIPAA violations. The maximum penalty for a HIPAA violation is $1.5 million per violation category, per year. The fine for noncompliance with GDPR is up to €20 million ($23 million) or 4% of global annual turnover, whichever is the greater.

The final text of GDPR was adopted on April 14, 2016, giving all entities more than two years to implement the appropriate privacy and security controls and develop policies and procedures in line with GDPR. Even so, many organizations put GDPR compliance on the back burner until 2018 and have run out of time. Many organizations in the United States are still on the road to compliance even though the deadline has passed.

A survey conducted by Netsparker in the fall of 2017 revealed 14% of healthcare organizations surveyed had only achieved a quarter of what was necessary to comply with GDPR requirements, and 7% were only minimally aware of what was required. A survey conducted by Clearswift in October suggested healthcare was the least likely industry to be prepared for GDPR.

How Have Healthcare Organizations Fared with Their GDPR Compliance Efforts?

Recent data on the state of healthcare industry GDPR compliance are limited, although a survey conducted by Harvey Nash and KPMG provides some insight into how healthcare organizations have fared with their compliance efforts. The survey was conducted between December 20, 2017 and April 3, 2018 on 3,958 IT leaders from a wide range of industries.

In North America, 59% of companies had completed or mostly completed their GDPR compliance efforts ahead of the May 25, 2018 deadline, with 40% of companies reporting that they still expected to be on the road to compliance by the time GDPR came into effect.

Healthcare organizations fared better than average, with 67% saying they were already in compliance with GDPR or were mostly compliant, broken down as 14% compliant and 53% mostly compliant. However, a third of healthcare companies (33%) said they would still be on the road to compliance by the May 25 deadline.

The survey also revealed that 40% of healthcare companies did not have a clear digital business vision and strategy, although 35% of were currently working on one. 13% of healthcare firms said they were not well prepared to deal with cyberattacks, which could see them experience problems complying with GDPR reporting requirements. Under HIPAA, healthcare organizations have up to 60 days to report security breaches involving PHI. GDPR requires reports of breaches of personal data to be issued within 72 hours of the discovery of a breach.

The Privacy Rule requires healthcare organizations to respond to patients requests for copies of their data within 30 days, the same time frame as required by GDPR. However, in contrast to HIPAA, GDPR requires copies of all personal information to be provided, not just a limited data set. That requirement could well prove problematic if healthcare organizations have not performed a full audit to determine where all copies of data are located. The same applies to honoring requests to have all data erased when consent to process and store data is revoked.

The time that organizations have had to devote to compliance has been considerable and compliance has come at great cost, although far less than the potential fines for noncompliance. Fortunately for many healthcare companies, IT budget increases will have helped cover the cost of compliance. 49% of healthcare firms have increased their IT budgets in 2018. For the 51% of healthcare organizations with static budgets or budget cutbacks, compliance will have been a major struggle.

The post A Third of Healthcare Organizations Expected to Miss GDPR Deadline appeared first on HIPAA Journal.