GDPR News

First Hospital GDPR Violation Penalty Issued: Portuguese Hospital to Pay €400,000 GDPR Fine

The first hospital GDPR violation penalty has been issued in Portugal. The Portugal supervisory authority, Comissão Nacional de Protecção de Dados (CNPD), took action against the Barreiro Montijo hospital near Lisbon for failing to restrict access to patient data stored in its patient management system.

Concerns were raised about the lack of data access controls in April 2018. Medical workers in the southern zone discovered non-clinical staff were using medical profiles to access the patient management system.

CNPD conducted an audit of the hospital and discovered 985 hospital employees had access rights to sensitive patient health information when there were only 296 physicians employed by the hospital. Only medical doctors at the hospital should have been able to access that level of detailed information about patients. CNPD also discovered a test profile had been set up with full, unrestricted administrator-level access to patient data and nine social workers had been granted access to confidential patient data.

The failure to implement appropriate access controls is a violation of the EU’s General Data Protection Regulation (GDPR) which came into force on May 25, 2018.

The hospital has been fined €400,000 ($455,050) for the GDPR violations – €300,000 for the failure to limit access to patient data and €100,000 for the failure to ensure the confidentiality, integrity, and availability of treatment systems and services. The hospital is taking legal action over the GDPR penalty.

This is the first GDPR violation fine to be issued in Portugal and one of the first fines since GDPR started to be enforced in May 2018. The financial penalty is well below the maximum fine that can be issued for a GDPR violation, which is up to €20 million ($22.74 million) or 4% of global annual turnover, whichever is greater.

In November, the supervisory authority in Germany, Baden-Württemberg Data Protection Authority, issued a financial penalty to the chat platform Knuddels.de for the failure to secure the personal information of EU residents. Knuddels.de suffered a data breach that exposed the email addresses of 808,000 users and 1.8 million usernames and passwords. The investigation revealed sensitive information such as passwords were stored in plain text.

Knuddels.de was fined €20,000 ($22,750). The relatively low fine was due to the level of transparency over the breach, exemplary cooperation with the data protection authority, and the speed at which security upgrades were applied.

The post First Hospital GDPR Violation Penalty Issued: Portuguese Hospital to Pay €400,000 GDPR Fine appeared first on HIPAA Journal.

Data Breach Reports and Complaints Have Increased Significantly Post-GDPR

The General Data Protection Regulation (GDPR) provided EU residents with new rights and freedoms and gave EU citizens greater control over the personal information that is collected, processed, and used by companies.

One of the rights given to EU citizens is the ability to submit complaints to the data protection authority when they feel that their personal data is being misused or has not been protected. GDPR also requires companies to disclose certain data breaches within 72 hours of discovery.

Since GDPR came into effect on May 25, 2018, there has been a considerable increase in the number of data breaches reported by companies in Europe.

Data breach reports in the United Kingdom quadrupled in the first three months since GDPR came into effect and in Ireland data breach reports doubled.

A study conducted by Kroll shows there was a 75% increase in data breaches reported to the Information Commissioner (ICO) – The supervisory authority in the United Kingdom – in the past year. The Kroll study showed the ICO had received more than 2,000 data breach reports in the past year that could be attributed to human error, compared to just 292 the previous year.

The most commonly reported breaches were emails sent to incorrect recipients (447 incidents), misdirected letters and faxes containing personal information (441 incidents) and loss or theft of physical records (438 incidents). There were 102 cases of unauthorized accessing of personal information, most commonly due to cyberattacks. The most commonly breached industry was healthcare, accounting for 1,214 of the 2,000 reported incidents.

These figures indicate there has been a major increase in data breaches, since the majority of these breaches were reported prior to the effective date of GDPR, although Kroll suggests the rise is, to a large extent, a result of increased transparency due to GDPR with UK companies choosing to abide by GDPR rules ahead of the deadline for compliance.

Kroll also suggests that there is likely to be a substantial increase in the penalties issued for preventable data breaches, as prior to the implementation of GDPR, the maximum possible fine was £500,000 in the UK. Now that GDPR is in force, the maximum penalty is €20 million – £17,845,000 – or 4% of global annual turnover, whichever is the greater. The risk of a substantial fine on top of the cost of dealing with a breach and repairing reputational damage is likely to see companies pay much more attention to data security and invest more heavily in data protection solutions.

Privacy and data security complaints have similarly increased. ICO figures show data protection complaints from consumers have substantially increased since GDPR came into effect. In the first three months since GDPR came into force, the number of data protection complaints have doubled. Prior to the introduction of GDPR in May, ICO had received 2,310 complaints but that figure jumped to 3,098 complaints in June and 4,214 complaints in July.

There have also been significant increases in complaints in other countries in Europe. The supervisory authority in France received 37% more complaints between May 25 and July 31, 2018 compared to the previous year and in Ireland there has been a 65% increase in data protection complaints since GDPR came into effect.

The post Data Breach Reports and Complaints Have Increased Significantly Post-GDPR appeared first on HIPAA Journal.

Steps to Take to Make a Website GDPR Compliant

If you have a website that can be accessed by EU residents it is likely that you will have make your website GDPR compliant. If you have yet to do so, you could potentially face a substantial fine as the General Data Protection Regulation compliance date was May 25, 2018.

The main purpose of GDPR is to protect the rights and freedoms of EU residents and to give them more control over their personal data, no matter where personal data is collected or processed.

Over the past two years, many businesses have been learning about how GDPR affects websites and websites owners have made changes to ensure their sites are compliant. However, some businesses are unsure how to make a website GDPR compliant and others have ignored GDPR requirements entirely.

Site owners that fail to make a website GDPR compliant can face stiff financial penalties. The penalty for noncompliance with GDPR is up to €20 million or 4% of global annual turnover (whichever is greater) so noncompliance really isn’t an option.

How to Make a Website GDPR Compliant

One of the main requirements to make a website GDPR compliant is to tackle the issue of consent. Information cannot be collected and processed unless consent has been obtained.

While most website owners explain in a privacy policy about information that is collected and how it is processed, under GDPR that is not sufficient. It is no longer possible to state that continued use of the website constitutes consent and agreement with the site’s privacy policy.

Consent must now be explicitly obtained through a clear, decisive action. If your website does not collect any personal data (including IP addresses) and does not use cookies and you do not have contact forms or newsletters, you will not have to do anything to be GDPR compliant. All other sites will need to obtain consent.

Under GDPR it is not acceptable to use pre-checked boxes when obtaining consent to collect and process personal data. Users must provide clear consent and if checkboxes are used, they must be manually checked by users.

Consent forms should be clear and explain the data that is collected and how it is used in easy-to-understand language. Website visitors must be informed how long their personal data will be retained, and the classes of individuals with whom the information will be shared. The exact types of data that will be collected through use of the website must be explained and if the website uses cookies to achieve that.

Website owners must make a decision about the types of data they collect and whether that information is necessary in order to perform the task for which the information is being collected. Any data collected or processed should be limited to the minimum necessary amount to achieve the purpose for which it is collected. GDPR also requires all personal data to be secured, so data encryption should be considered.

If you use any kind of analytics program on your website, Google Analytics for example, it is your responsibility to ensure it is compliant. Google has taken care of its side, but it is the responsibility of all website owners to ensure analytics programs meet GDPR requirements. If tracking data is collected that allows an individual to be identified – by their IP address for example – consent must be obtained.

It is important that website visitors can get in touch with a site owner to exercise their GDPR rights and freedoms, so all contact information needs to be up to date. It must be easy for visitors to make contact should they wish to exercise their right to be forgotten, request a copy of any data that is collected and processed, and check their personal data for accuracy.

In the event that a website visitor chooses to be forgotten, it is useful to have a mechanism in place that allows that to happen automatically via the website. Manually completing such a task will be time consuming, especially if multiple requests are received.

It is the responsibility of all website owners to familiarize themselves with GDPR Rules and make their websites GDPR compliant. If you own or operate a website, read up on GDPR requirements, check to make sure consent is being obtained before personal data are collected and processed, ensure data subjects’ rights and freedoms are protected and honored, and make sure all personal data is stored securely.

You must also develop policies and procedures to identify and deal with data breaches. If a breach is experienced, the Supervisory Authority must be notified within 72 hours.

The post Steps to Take to Make a Website GDPR Compliant appeared first on HIPAA Journal.

How Do U.S. Companies Appoint a GDPR Lead Supervisory Authority?

Under GDPR, a Supervisory Authority is an independent public authority that is responsible for monitoring compliance with GDPR, helping organizations become compliant with GDPR, and enforcing compliance and conducting investigations. The supervisory authority is the entity that must be notified in the event of a breach of personal data of data subjects.

The Lead Supervisory Authority is the main data protection regulator and the entity that has primary responsibility for dealing with cross-border data processing. The main purpose of having a lead supervisory authority is that there is just one point of contact, such as when a business soperates in multiple EU member states. It is a one-stop shop for all matters related to GDPR.

For most companies, choosing a GDPR Lead Supervisory Authority is a straightforward decision. A company based in Paris, France would appoint the supervisory authority in France as the lead supervisory authority. A UK-based company would choose the Information Commissioner’s Office (ICO), which is the supervisory authority for the UK.

For companies that operate in multiple EU member states, the lead supervisory authority would normally be the supervisory authority in the country where the company’s headquarters is or where its main business location is in the EU. More specifically, it would be the Supervisory Authority in the country where the final decisions are made about data collection and processing.

A U.S. company that does not have a base in an EU member state has a problem. If it does not have a base in an EU member state where data procession decisions are made, it will not benefit from the one-stop-shop mechanism. Even if a company has a representative in an EU member state, that does not trigger the one-stop-shop mechanism.

The company must therefore deal with the supervisory authority in every member state where the company is active, through its local representative. There would not be any lead supervisory authority. Article 27 of GDPR details the requirement to appoint a local representative in an EU member state.

For some companies, especially those that operate in many EU member states, identifying the lead supervisory authority may not be straightforward. The Article 29 Data Protection Working Party has responded to confusion over the selection of an LSA by producing guidelines for identifying a controller or processor’s LSA. The guidelines can be downloaded on this link (PDF).

The post How Do U.S. Companies Appoint a GDPR Lead Supervisory Authority? appeared first on HIPAA Journal.

GDPR Data Breach Reporting Requirements

Healthcare organizations are required to report breaches of the personal data of GDPR data subjects, but what are the GDPR data breach reporting requirements?

Breaches of the Personal Data of EU Residents

Under GDPR, personal data is any information relating to an identified or identifiable data subject: Information that could, directly or indirectly, allow a person to be identified.

In Article 4 of the GDPR, a personal data breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

A data breach could be unauthorized access to a system containing personal data, theft of a device containing electronic personal data, or loss of physical or electronic data. Data corruption is also considered a data breach as is any other incident that affects the availability of personal data, such as a ransomware attack.

GDPR Data Breach Reporting Requirements

Data controllers and data processors must have robust data breach detection, investigation, and internal reporting procedures in place. A data processor must notify the data controller immediately if a data breach is suspected.

Under GDPR, if an employee discovers or suspects a data breach, it must be reported immediately to the Data Protection Officer (DPO) if the company has appointed a DPO, or to the data protection officer, privacy officer, or the security team if a DPO has not been appointed.

It is the responsibility of the DPO to report a breach to the supervisory authority. Companies that have not appointed a DPO will have to assign the responsibility for breach reporting to another individual. That individual will be the point of contact in the organization should the supervisory authority need further information about the breach.

The timescale for reporting data breaches under GDPR is far stricter than HIPAA, which allows up to 60 days for a breach to be reported. GDPR requires the supervisory authority to be notified of a data breach within 72 hours of the breach being discovered – See GDPR Article 33. A data breach must be reported unless there is unlikely to be a high risk to the rights and freedoms of data subjects.

Such a short time frame for reporting breaches means a breached entity is unlikely to have had time to investigate the breach thoroughly, so the information that can be provided to the supervisory authority at that early stage in the investigation is unlikely to be complete. It may therefore be necessary to provide breach information in stages.

GDPR Data Breach Reporting Requirements for Breach Notifications

The data breach report for the supervisory authority must contain the following information:

  • A description of the data breach
  • Categories of data subjects affected and the approximate number of individuals impacted
  • Categories and approximate number of data records affected
  • Contact details of the Data Protection Officer or other point of contact in the organization if a DPO has not been appointed
  • A description of the likely consequences of the data breach
  • A description of the steps being taken to mitigate the breach and limit adverse effects

If the 72-hour reporting deadline is missed, when the breach report is submitted it must be accompanied by a reason for the delay.

The data controller must maintain a record of all data personal data breaches, regardless of their severity, including the above information and any further action taken to address the breaches.

When Must Notifications Be Sent to Data Subjects?

Not all personal data breaches require personal notifications to be issued to affected data subjects. The requirement to send personal notifications is based on the level of risk to the rights and freedoms of data subjects. Following a data breach, a risk analysis must therefore be conducted.

If the risk analysis shows there is a high risk of the data breach adversely affecting data subjects, personal data breach notifications must be issued. Unlike HIPAA, there is no time limit for issuing these notifications per se. The notifications should be sent as soon as it is feasible to do so and without undue delay.

Data breach notifications must be written in clear language that would be understandable to a reasonable person and the personal breach notifications need to include the same categories of information as the notification for the supervisory authority.

Personal data breach notifications for data subjects are not required if any of the following conditions are met:

  • Steps have been taken to render the personal data inaccessible or unintelligible – encryption for example
  • Steps have been taken that ensure the high risk to the rights and freedoms of data subjects will no longer materialize – The remote deletion of data on a lost device, for example
  • If data breach notifications would “involve disproportionate effort.” In such cases, a public communication – such as a press release to a prominent media organization – could be issued

The supervisory authority may require the data controller to issue notifications to data subjects even if the data controller has determined there is not a high risk to the rights and freedoms of data subjects.

The GDPR data breach reporting requirements for personal notifications are detailed in Article 34 of the GDPR.

The post GDPR Data Breach Reporting Requirements appeared first on HIPAA Journal.

GDPR: What is the Role of the Data Protection Officer?

Many businesses required to comply with GDPR must appoint a Data Protection Officer, but what is the role of the Data Protection Officer and what types of companies are required to appoint a DPO?

The General Data Protection Regulation (GDPR) requires all companies that collect or process the personal data of EU residents to develop policies and procedures covering the collection, processing, and management of personal data of data subjects. GDPR also requires security controls to be implemented to ensure the confidentiality, integrity, and availability of personal data. The deadline for compliance with GDPR was May 25, 2018.

One requirement of GDPR is the appointment of a Data Protection Officer whose main role is to oversee compliance.

Does GDPR Require All Companies to Appoint a Data Protection Officer?

Article 37 of the GDPR explains the requirement for designating a Data Protection Officer in an organization. Generally speaking, large companies – those that employ more than 250 people – are required to appoint a Data Protection Officer. Smaller companies, those with fewer than 250 employees, may not be required to appoint a DPO, although that will depend on various factors, such as the amount of personal data that are processed, whether special category data are processed, and the nature of the business.

A Data Protection Officer must be appointed if processing is carried out by a public authority or body. A Data Protection Officer must also be appointed if the core activities of the controller or processor require regular systematic monitoring of data subjects on a large scale, or if core activities of a controller or processor consist of processing special categories of data on a large scale.

Any company that fails to appoint a Data Protection Officer must be able to demonstrate why they do not need to appoint a DPO. An internal analysis should be conducted and the decision not to appoint a DPO should be documented, including the reasons why. This document may need to be provided in the event of a compliance audit.

Who Can Be Appointed as A Data Protection Officer?

There is no requirement for a Data Protection Officer to have any specific qualifications, so it is not necessary to recruit a DPO externally. An existing member of staff can serve as an organization’s DPO, and a group of companies could appoint a single DPO, provided the DPO is easily accessible from each establishment.

The individual appointed as Data Protection Officer must have a significant amount of data protection experience and must be well versed in GDPR and understand its requirements in order for tasks to be performed effectively.

An employee can only be appointed as a Data Protection Officer if other duties in the company do not cause a conflict of interest. The DPO must be allowed to act independently without any influences. The DPO must report to the highest level of management at the data controller or processor and must be bound to secrecy about the performance of his or her tasks. A Data Protection Officer must be given sufficient resources to ensure it is possible for that individual to carry out his or her role effectively.

Further information on the position of the DPO can be found in GDPR Article 37.

What is the Role of the Data Protection Officer?

Article 38 of the GDPR covers the role of the Data Protection Officer. There are five essential tasks that must be performed by the Data Protection Officer.

  • The Data Protection Officer is required to inform and advise the controller or processor of their obligations under GDPR and also advise employees involved in the processing of personal data about GDPR requirements.
  • The Data Protection Officer must monitor compliance with the GDPR with respect to the protection of personal data and must raise awareness of responsibilities and train staff on processing operations.
  • Provide advice, as requested, on the data protection impact assessment and monitor its performance.
  • To cooperate with the supervisory authority
  • To act as a single point of contact in a company for the supervisory authority.

The role of the Data Protection Officer has been Summarized in the infographic below:

GDPR Data Protection Officer Duties

The post GDPR: What is the Role of the Data Protection Officer? appeared first on HIPAA Journal.

How Does GDPR Apply to Medical Devices?

The European Union’s General Data Protection Regulation came into force on May 25, 2018 and applies to healthcare providers who collect or process the personal data of data subjects residing in the EU, but how does GDPR apply to medical devices?

How Does GDPR Apply to Medical Devices?

Medical devices can collect a range of personal data – data that are considered ‘high risk’ with respect to the rights and freedoms of data subjects. As such, there are many aspects of GDPR that apply to medical devices.

Consent Must be Obtained

Prior to medical devices being used, it is important for consent to collect and process data to be obtained from the data subject. Explicit consent must be obtained, which means the data subject must freely give their specific, informed consent through a clear affirmative action. Any consent form must be written in clear and plain language that can be easily understood and the data subject must be made aware of the data that will be collected, how they will be used. See Article 7 of the GDPR.

Consent is especially important for ‘special category’ of personal data, such as health data, genetic data, and biometric data, which cannot be collected or processed without explicit consent. The processing of special category data is only permitted in certain circumstances, as detailed in Article 9 of the GDPR.

A Data Protection Impact Assessment Must be Conducted

The use of new technologies to process personal data calls for a Data Protection Impact Assessment (DPIA) to be conducted, with is also mandatory when special category data are processed.

The DPIA must include a systematic description of the processing operations, the purpose of that processing, an assessment of the necessity and proportionality of the processing operations in relation to the purposes, an assessment of the risks to the rights and freedoms of data subjects, and the measures that address those risks including the security controls, safeguards, and mechanisms to ensure the privacy of patients is protected and data subjects’ rights and freedoms have been taken into account. – See Article 35 of the GDPR

Personal Data Must be Secured

Any personal data collected or processed must be protected. Appropriate technological and organizational measures must be implemented to ensure a level of security appropriate to the level of risk. As with HIPAA, healthcare organizations must ensure the confidentiality, integrity, and availability of personal data. In the event of an emergency or technical issue, the healthcare provider must have the ability to be able to restore data.

Healthcare providers should routinely test, assess, and evaluate the effectiveness of their security controls. Any individual who has access to personal data must be trained and be made aware that they are prohibited from processing data except when instructed to do so by the data controller.

Healthcare providers must also encrypt personal data at rest or in transit, unless data are otherwise protected through pseudonymization and individuals cannot be identified from their data. Article 32 of the GDPR covers the security of processing.

Personal Data May Need to be Provided to Patients

Data subjects have the right to access their personal data (Article 15), and access information such as the purpose of data processing, the types of data collected and processed, with whom the data have been shared, the period of time that data will be stored.

Data subjects have the right to data portability, and upon request, must be provided with their data in a commonly used electronic format -See Article 20 of the GDPR. Data subjects can also exercise their right to be forgotten (Article 17) and have all personal data erased, or may request that all data processing stop (Article 19).

Notifications Must be Provided in the Event of a Data Breach

As with HIPAA-covered data, if a breach is experienced, notifications must be issued. In contrast to HIPAA, which allows up to 60 days to issue notifications, GDPR calls for the supervisory authority to be notified within 72 hours of the discovery of the breach. The breach notice must include the nature of the breach, the types of information likely to be involved, the contact information of the data protection officer, the likely consequences of the breach, and the measures being taken to address the breach – See Article 33 of the GDPR. Personal breach notifications, as detailed in Article 34, must be issued to breach victims when the incident is likely to result in a high risk to the rights and freedoms of breach victims. Personal breach notifications must be issued without undue delay.

Does HIPAA Compliance Mean Compliance with the GDPR?

Fortunately for U.S. healthcare providers, many of the requirements of GDPR will already have been satisfied if the organization is compliant with HIPAA. However, being compliant with HIPAA does not guarantee compliance with GDPR. HIPAA-covered entities must therefore conduct an in-depth assessment of their policies, procedures, and safeguards to ensure they meet the requirements of the GDPR.

The post How Does GDPR Apply to Medical Devices? appeared first on HIPAA Journal.

California Passes GDPR-Style Data Privacy Law

AB 375, the California Consumer Privacy Act of 2018, has been signed into law. The bill was signed by California governor Jerry Brown on Thursday after the state Senate and Assembly passed the bill unanimously.

California already has some of the strictest privacy laws in the United States. Under existing legislation, companies that experience a breach of personal information must notify affected individuals if their computerized data is exposed or stolen. This law takes privacy protections much further and gives state residents several new GDPR-style privacy rights, including:

  • The right to request information from businesses about the types of personal data that are collected and processed and the source of that information
  • Be informed about the purpose for collecting, using, and selling personal data
  • Categories of third parties with whom the information is shared
  • The right to request a copy of all personal information collected by a business
  • The right to have all personal information deleted on request
  • The right to request personal information is not sold
  • The right to initiate civil action if there has been a failure to protect an individual’s personal data

The law would also prohibit any business from discriminating against an individual who chooses to exercise the above rights, including charging such an individual more or providing a different quality of goods or services.

The Act also prohibits companies from selling the personal data of individuals between 13 and 16 years of age, unless authorized to through opting in. Individuals younger than 13 must have consent provided by a parent or legal guardian before personal information can be collected.

Businesses will be required to explain, at or before the collection of personal information, the categories of information that will be collected and the purpose for which that information is collected. Businesses will be prohibited from collecting more information than is stated in their consumer notices. Consumers must also be advised of the right to have their information deleted at the point of consent being obtained.

Businesses must place a clear link on the homepage of their websites titled “Do not Sell My Personal Information” which must direct the user to a webpage where they can opt out of the sale of their personal data.

The Act will not apply to protected health information collected by HIPAA-covered entities. “This act shall not apply to protected or health information that is collected by a covered entity governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56 of Division 1)) or governed by the privacy, security, and breach notification rules issued by the federal Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Availability Act of 1996.”

The California Consumer Privacy Act of 2018 has been criticized for being a rushed attempt to prevent a voter initiative that would’ve appeared on California ballots in November if the bill was not passed by 5pm on Thursday.

While the bill has been signed into law, the California Consumer Privacy Act of 2018 can be amended before its effective date of January 1, 2020.

The bill has been heavily criticized by the Internet Association, which has stated, “Data regulation policy is complex and impacts every sector of the economy, including the internet industry… That makes the lack of public discussion and process surrounding this far-reaching bill even more concerning.”

The Internet Association released a statement saying, “It is critical going forward that policymakers work to correct the inevitable, negative policy and compliance ramifications this last-minute deal will create for California’s consumers and businesses alike.”

The post California Passes GDPR-Style Data Privacy Law appeared first on HIPAA Journal.

GDPR Right to Access Personal Data

Healthcare organizations that market their services to residents in the EU or provide medical services to EU residents that requires the collection of their personal information are required to comply with the EU General Data Protection Regulation (GDPR).

One aspect of compliance that is of particular relevance to healthcare organizations is the GDPR right to access personal data. Any EU resident has the right to request access to all of their personal data and view any supplemental data attached to their file.

Data subjects are more likely to exercise this right with healthcare organizations that other organizations that hold their data as it is especially important that this information is correct. They may also require the data to pass on to other healthcare organizations.

The rights of data subjects with respect to subject access requests (SARs) are detailed in GDPR Article 15.

The GDPR Right to Access Personal Data

If a data subject chooses to exercise their GDPR right to access personal data, the request must be honored within 30 days.

The data subject is permitted to obtain confirmation about whether his or her personal data are being collected, used, and stored; the types of data involved; the reason for data processing; the categories of person with whom the data have been or will be disclosed; whether those data will be transferred to another country or an international organization; and the length of time that data will be processed or stored. The information can be provided in writing, verbally, or electronically.

Once the right to access has been exercised, other rights then apply, such as the right to request alteration of personal data, erasure of data, the right to be forgotten, and requests for restriction of the processing of personal data.

When copies of data are requested they must be provided and the entity that holds the data is not permitted to charge the data subject for providing access to the information.

If such a request is made electronically, the data must be provided in a commonly used electronic format – Office documents and PDF files for example.

While companies are not permitted to charge for access to personal data, reasonable fees can be charged for providing multiple copies. It is also permissible to request a reasonable fee if any request is deemed to be excessive, such as if a SAR is made too frequently.

Get Prepared for SARs

It is important for healthcare organizations to develop policies that will allow them to respond to SARs promptly. Healthcare organizations need to be aware of all locations where personal data are stored. In contrast to HIPAA, which requires copies of health information to be provided as a data set, all information stored will need to be provided on request.

In addition to being able to obtain those data, a mechanism must be developed that will allow the identity of a data subject to be verified. It is essential that a personal data file is only provided to a person authorized to receive it.

Noncompliance with GDPR

GDPR requirements have been enforceable since May 25, 2018. Any healthcare organization required to comply with GDPR can face massive financial penalties for noncompliance. The maximum penalty for noncompliance is €20 million or 4% of global annual turnover, whichever is the greater.

The post GDPR Right to Access Personal Data appeared first on HIPAA Journal.