The General Data Protection Regulation (GDPR) provided EU residents with new rights and freedoms and gave EU citizens greater control over the personal information that is collected, processed, and used by companies.

One of the rights given to EU citizens is the ability to submit complaints to the data protection authority when they feel that their personal data is being misused or has not been protected. GDPR also requires companies to disclose certain data breaches within 72 hours of discovery.

Since GDPR came into effect on May 25, 2018, there has been a considerable increase in the number of data breaches reported by companies in Europe.

Data breach reports in the United Kingdom quadrupled in the first three months since GDPR came into effect and in Ireland data breach reports doubled.

A study conducted by Kroll shows there was a 75% increase in data breaches reported to the Information Commissioner (ICO) – The supervisory authority in the United Kingdom – in the past year. The Kroll study showed the ICO had received more than 2,000 data breach reports in the past year that could be attributed to human error, compared to just 292 the previous year.

The most commonly reported breaches were emails sent to incorrect recipients (447 incidents), misdirected letters and faxes containing personal information (441 incidents) and loss or theft of physical records (438 incidents). There were 102 cases of unauthorized accessing of personal information, most commonly due to cyberattacks. The most commonly breached industry was healthcare, accounting for 1,214 of the 2,000 reported incidents.

These figures indicate there has been a major increase in data breaches, since the majority of these breaches were reported prior to the effective date of GDPR, although Kroll suggests the rise is, to a large extent, a result of increased transparency due to GDPR with UK companies choosing to abide by GDPR rules ahead of the deadline for compliance.

Kroll also suggests that there is likely to be a substantial increase in the penalties issued for preventable data breaches, as prior to the implementation of GDPR, the maximum possible fine was £500,000 in the UK. Now that GDPR is in force, the maximum penalty is €20 million – £17,845,000 – or 4% of global annual turnover, whichever is the greater. The risk of a substantial fine on top of the cost of dealing with a breach and repairing reputational damage is likely to see companies pay much more attention to data security and invest more heavily in data protection solutions.

Privacy and data security complaints have similarly increased. ICO figures show data protection complaints from consumers have substantially increased since GDPR came into effect. In the first three months since GDPR came into force, the number of data protection complaints have doubled. Prior to the introduction of GDPR in May, ICO had received 2,310 complaints but that figure jumped to 3,098 complaints in June and 4,214 complaints in July.

There have also been significant increases in complaints in other countries in Europe. The supervisory authority in France received 37% more complaints between May 25 and July 31, 2018 compared to the previous year and in Ireland there has been a 65% increase in data protection complaints since GDPR came into effect.

The post Data Breach Reports and Complaints Have Increased Significantly Post-GDPR appeared first on HIPAA Journal.

If you have a website that can be accessed by EU residents it is likely that you will have make your website GDPR compliant. If you have yet to do so, you could potentially face a substantial fine as the General Data Protection Regulation compliance date was May 25, 2018.

The main purpose of GDPR is to protect the rights and freedoms of EU residents and to give them more control over their personal data, no matter where personal data is collected or processed.

Over the past two years, many businesses have been learning about how GDPR affects websites and websites owners have made changes to ensure their sites are compliant. However, some businesses are unsure how to make a website GDPR compliant and others have ignored GDPR requirements entirely.

Site owners that fail to make a website GDPR compliant can face stiff financial penalties. The penalty for noncompliance with GDPR is up to €20 million or 4% of global annual turnover (whichever is greater) so noncompliance really isn’t an option.

How to Make a Website GDPR Compliant

One of the main requirements to make a website GDPR compliant is to tackle the issue of consent. Information cannot be collected and processed unless consent has been obtained.

While most website owners explain in a privacy policy about information that is collected and how it is processed, under GDPR that is not sufficient. It is no longer possible to state that continued use of the website constitutes consent and agreement with the site’s privacy policy.

Consent must now be explicitly obtained through a clear, decisive action. If your website does not collect any personal data (including IP addresses) and does not use cookies and you do not have contact forms or newsletters, you will not have to do anything to be GDPR compliant. All other sites will need to obtain consent.

Under GDPR it is not acceptable to use pre-checked boxes when obtaining consent to collect and process personal data. Users must provide clear consent and if checkboxes are used, they must be manually checked by users.

Consent forms should be clear and explain the data that is collected and how it is used in easy-to-understand language. Website visitors must be informed how long their personal data will be retained, and the classes of individuals with whom the information will be shared. The exact types of data that will be collected through use of the website must be explained and if the website uses cookies to achieve that.

Website owners must make a decision about the types of data they collect and whether that information is necessary in order to perform the task for which the information is being collected. Any data collected or processed should be limited to the minimum necessary amount to achieve the purpose for which it is collected. GDPR also requires all personal data to be secured, so data encryption should be considered.

If you use any kind of analytics program on your website, Google Analytics for example, it is your responsibility to ensure it is compliant. Google has taken care of its side, but it is the responsibility of all website owners to ensure analytics programs meet GDPR requirements. If tracking data is collected that allows an individual to be identified – by their IP address for example – consent must be obtained.

It is important that website visitors can get in touch with a site owner to exercise their GDPR rights and freedoms, so all contact information needs to be up to date. It must be easy for visitors to make contact should they wish to exercise their right to be forgotten, request a copy of any data that is collected and processed, and check their personal data for accuracy.

In the event that a website visitor chooses to be forgotten, it is useful to have a mechanism in place that allows that to happen automatically via the website. Manually completing such a task will be time consuming, especially if multiple requests are received.

It is the responsibility of all website owners to familiarize themselves with GDPR Rules and make their websites GDPR compliant. If you own or operate a website, read up on GDPR requirements, check to make sure consent is being obtained before personal data are collected and processed, ensure data subjects’ rights and freedoms are protected and honored, and make sure all personal data is stored securely.

You must also develop policies and procedures to identify and deal with data breaches. If a breach is experienced, the Supervisory Authority must be notified within 72 hours.

The post Steps to Take to Make a Website GDPR Compliant appeared first on HIPAA Journal.

Under GDPR, a Supervisory Authority is an independent public authority that is responsible for monitoring compliance with GDPR, helping organizations become compliant with GDPR, and enforcing compliance and conducting investigations. The supervisory authority is the entity that must be notified in the event of a breach of personal data of data subjects.

The Lead Supervisory Authority is the main data protection regulator and the entity that has primary responsibility for dealing with cross-border data processing. The main purpose of having a lead supervisory authority is that there is just one point of contact, such as when a business soperates in multiple EU member states. It is a one-stop shop for all matters related to GDPR.

For most companies, choosing a GDPR Lead Supervisory Authority is a straightforward decision. A company based in Paris, France would appoint the supervisory authority in France as the lead supervisory authority. A UK-based company would choose the Information Commissioner’s Office (ICO), which is the supervisory authority for the UK.

For companies that operate in multiple EU member states, the lead supervisory authority would normally be the supervisory authority in the country where the company’s headquarters is or where its main business location is in the EU. More specifically, it would be the Supervisory Authority in the country where the final decisions are made about data collection and processing.

A U.S. company that does not have a base in an EU member state has a problem. If it does not have a base in an EU member state where data procession decisions are made, it will not benefit from the one-stop-shop mechanism. Even if a company has a representative in an EU member state, that does not trigger the one-stop-shop mechanism.

The company must therefore deal with the supervisory authority in every member state where the company is active, through its local representative. There would not be any lead supervisory authority. Article 27 of GDPR details the requirement to appoint a local representative in an EU member state.

For some companies, especially those that operate in many EU member states, identifying the lead supervisory authority may not be straightforward. The Article 29 Data Protection Working Party has responded to confusion over the selection of an LSA by producing guidelines for identifying a controller or processor’s LSA. The guidelines can be downloaded on this link (PDF).

The post How Do U.S. Companies Appoint a GDPR Lead Supervisory Authority? appeared first on HIPAA Journal.

Healthcare organizations are required to report breaches of the personal data of GDPR data subjects, but what are the GDPR data breach reporting requirements?

Breaches of the Personal Data of EU Residents

Under GDPR, personal data is any information relating to an identified or identifiable data subject: Information that could, directly or indirectly, allow a person to be identified.

In Article 4 of the GDPR, a personal data breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

A data breach could be unauthorized access to a system containing personal data, theft of a device containing electronic personal data, or loss of physical or electronic data. Data corruption is also considered a data breach as is any other incident that affects the availability of personal data, such as a ransomware attack.

GDPR Data Breach Reporting Requirements

Data controllers and data processors must have robust data breach detection, investigation, and internal reporting procedures in place. A data processor must notify the data controller immediately if a data breach is suspected.

Under GDPR, if an employee discovers or suspects a data breach, it must be reported immediately to the Data Protection Officer (DPO) if the company has appointed a DPO, or to the data protection officer, privacy officer, or the security team if a DPO has not been appointed.

It is the responsibility of the DPO to report a breach to the supervisory authority. Companies that have not appointed a DPO will have to assign the responsibility for breach reporting to another individual. That individual will be the point of contact in the organization should the supervisory authority need further information about the breach.

The timescale for reporting data breaches under GDPR is far stricter than HIPAA, which allows up to 60 days for a breach to be reported. GDPR requires the supervisory authority to be notified of a data breach within 72 hours of the breach being discovered – See GDPR Article 33. A data breach must be reported unless there is unlikely to be a high risk to the rights and freedoms of data subjects.

Such a short time frame for reporting breaches means a breached entity is unlikely to have had time to investigate the breach thoroughly, so the information that can be provided to the supervisory authority at that early stage in the investigation is unlikely to be complete. It may therefore be necessary to provide breach information in stages.

GDPR Data Breach Reporting Requirements for Breach Notifications

The data breach report for the supervisory authority must contain the following information:

• A description of the data breach
• Categories of data subjects affected and the approximate number of individuals impacted
• Categories and approximate number of data records affected
• Contact details of the Data Protection Officer or other point of contact in the organization if a DPO has not been appointed
• A description of the likely consequences of the data breach
• A description of the steps being taken to mitigate the breach and limit adverse effects

If the 72-hour reporting deadline is missed, when the breach report is submitted it must be accompanied by a reason for the delay.

The data controller must maintain a record of all data personal data breaches, regardless of their severity, including the above information and any further action taken to address the breaches.

When Must Notifications Be Sent to Data Subjects?

Not all personal data breaches require personal notifications to be issued to affected data subjects. The requirement to send personal notifications is based on the level of risk to the rights and freedoms of data subjects. Following a data breach, a risk analysis must therefore be conducted.

If the risk analysis shows there is a high risk of the data breach adversely affecting data subjects, personal data breach notifications must be issued. Unlike HIPAA, there is no time limit for issuing these notifications per se. The notifications should be sent as soon as it is feasible to do so and without undue delay.

Data breach notifications must be written in clear language that would be understandable to a reasonable person and the personal breach notifications need to include the same categories of information as the notification for the supervisory authority.

Personal data breach notifications for data subjects are not required if any of the following conditions are met:

• Steps have been taken to render the personal data inaccessible or unintelligible – encryption for example
• Steps have been taken that ensure the high risk to the rights and freedoms of data subjects will no longer materialize – The remote deletion of data on a lost device, for example
• If data breach notifications would “involve disproportionate effort.” In such cases, a public communication – such as a press release to a prominent media organization – could be issued

The supervisory authority may require the data controller to issue notifications to data subjects even if the data controller has determined there is not a high risk to the rights and freedoms of data subjects.

The GDPR data breach reporting requirements for personal notifications are detailed in Article 34 of the GDPR.

The post GDPR Data Breach Reporting Requirements appeared first on HIPAA Journal.

Many businesses required to comply with GDPR must appoint a Data Protection Officer, but what is the role of the Data Protection Officer and what types of companies are required to appoint a DPO?

The General Data Protection Regulation (GDPR) requires all companies that collect or process the personal data of EU residents to develop policies and procedures covering the collection, processing, and management of personal data of data subjects. GDPR also requires security controls to be implemented to ensure the confidentiality, integrity, and availability of personal data. The deadline for compliance with GDPR was May 25, 2018.

One requirement of GDPR is the appointment of a Data Protection Officer whose main role is to oversee compliance.

Does GDPR Require All Companies to Appoint a Data Protection Officer?

Article 37 of the GDPR explains the requirement for designating a Data Protection Officer in an organization. Generally speaking, large companies – those that employ more than 250 people – are required to appoint a Data Protection Officer. Smaller companies, those with fewer than 250 employees, may not be required to appoint a DPO, although that will depend on various factors, such as the amount of personal data that are processed, whether special category data are processed, and the nature of the business.

A Data Protection Officer must be appointed if processing is carried out by a public authority or body. A Data Protection Officer must also be appointed if the core activities of the controller or processor require regular systematic monitoring of data subjects on a large scale, or if core activities of a controller or processor consist of processing special categories of data on a large scale.

Any company that fails to appoint a Data Protection Officer must be able to demonstrate why they do not need to appoint a DPO. An internal analysis should be conducted and the decision not to appoint a DPO should be documented, including the reasons why. This document may need to be provided in the event of a compliance audit.

Who Can Be Appointed as A Data Protection Officer?

There is no requirement for a Data Protection Officer to have any specific qualifications, so it is not necessary to recruit a DPO externally. An existing member of staff can serve as an organization’s DPO, and a group of companies could appoint a single DPO, provided the DPO is easily accessible from each establishment.

The individual appointed as Data Protection Officer must have a significant amount of data protection experience and must be well versed in GDPR and understand its requirements in order for tasks to be performed effectively.

An employee can only be appointed as a Data Protection Officer if other duties in the company do not cause a conflict of interest. The DPO must be allowed to act independently without any influences. The DPO must report to the highest level of management at the data controller or processor and must be bound to secrecy about the performance of his or her tasks. A Data Protection Officer must be given sufficient resources to ensure it is possible for that individual to carry out his or her role effectively.

Further information on the position of the DPO can be found in GDPR Article 37.

What is the Role of the Data Protection Officer?

Article 38 of the GDPR covers the role of the Data Protection Officer. There are five essential tasks that must be performed by the Data Protection Officer.

• The Data Protection Officer is required to inform and advise the controller or processor of their obligations under GDPR and also advise employees involved in the processing of personal data about GDPR requirements.
• The Data Protection Officer must monitor compliance with the GDPR with respect to the protection of personal data and must raise awareness of responsibilities and train staff on processing operations.
• Provide advice, as requested, on the data protection impact assessment and monitor its performance.
• To cooperate with the supervisory authority
• To act as a single point of contact in a company for the supervisory authority.

The role of the Data Protection Officer has been Summarized in the infographic below:

The post GDPR: What is the Role of the Data Protection Officer? appeared first on HIPAA Journal.

The European Union’s General Data Protection Regulation came into force on May 25, 2018 and applies to healthcare providers who collect or process the personal data of data subjects residing in the EU, but how does GDPR apply to medical devices?

How Does GDPR Apply to Medical Devices?

Medical devices can collect a range of personal data – data that are considered ‘high risk’ with respect to the rights and freedoms of data subjects. As such, there are many aspects of GDPR that apply to medical devices.

Consent Must be Obtained

Prior to medical devices being used, it is important for consent to collect and process data to be obtained from the data subject. Explicit consent must be obtained, which means the data subject must freely give their specific, informed consent through a clear affirmative action. Any consent form must be written in clear and plain language that can be easily understood and the data subject must be made aware of the data that will be collected, how they will be used. See Article 7 of the GDPR.

Consent is especially important for ‘special category’ of personal data, such as health data, genetic data, and biometric data, which cannot be collected or processed without explicit consent. The processing of special category data is only permitted in certain circumstances, as detailed in Article 9 of the GDPR.

A Data Protection Impact Assessment Must be Conducted

The use of new technologies to process personal data calls for a Data Protection Impact Assessment (DPIA) to be conducted, with is also mandatory when special category data are processed.

The DPIA must include a systematic description of the processing operations, the purpose of that processing, an assessment of the necessity and proportionality of the processing operations in relation to the purposes, an assessment of the risks to the rights and freedoms of data subjects, and the measures that address those risks including the security controls, safeguards, and mechanisms to ensure the privacy of patients is protected and data subjects’ rights and freedoms have been taken into account. – See Article 35 of the GDPR

Personal Data Must be Secured

Any personal data collected or processed must be protected. Appropriate technological and organizational measures must be implemented to ensure a level of security appropriate to the level of risk. As with HIPAA, healthcare organizations must ensure the confidentiality, integrity, and availability of personal data. In the event of an emergency or technical issue, the healthcare provider must have the ability to be able to restore data.

Healthcare providers should routinely test, assess, and evaluate the effectiveness of their security controls. Any individual who has access to personal data must be trained and be made aware that they are prohibited from processing data except when instructed to do so by the data controller.

Healthcare providers must also encrypt personal data at rest or in transit, unless data are otherwise protected through pseudonymization and individuals cannot be identified from their data. Article 32 of the GDPR covers the security of processing.

Personal Data May Need to be Provided to Patients

Data subjects have the right to access their personal data (Article 15), and access information such as the purpose of data processing, the types of data collected and processed, with whom the data have been shared, the period of time that data will be stored.

Data subjects have the right to data portability, and upon request, must be provided with their data in a commonly used electronic format -See Article 20 of the GDPR. Data subjects can also exercise their right to be forgotten (Article 17) and have all personal data erased, or may request that all data processing stop (Article 19).

Notifications Must be Provided in the Event of a Data Breach

As with HIPAA-covered data, if a breach is experienced, notifications must be issued. In contrast to HIPAA, which allows up to 60 days to issue notifications, GDPR calls for the supervisory authority to be notified within 72 hours of the discovery of the breach. The breach notice must include the nature of the breach, the types of information likely to be involved, the contact information of the data protection officer, the likely consequences of the breach, and the measures being taken to address the breach – See Article 33 of the GDPR. Personal breach notifications, as detailed in Article 34, must be issued to breach victims when the incident is likely to result in a high risk to the rights and freedoms of breach victims. Personal breach notifications must be issued without undue delay.

Does HIPAA Compliance Mean Compliance with the GDPR?

Fortunately for U.S. healthcare providers, many of the requirements of GDPR will already have been satisfied if the organization is compliant with HIPAA. However, being compliant with HIPAA does not guarantee compliance with GDPR. HIPAA-covered entities must therefore conduct an in-depth assessment of their policies, procedures, and safeguards to ensure they meet the requirements of the GDPR.

The post How Does GDPR Apply to Medical Devices? appeared first on HIPAA Journal.

Healthcare organizations that market their services to residents in the EU or provide medical services to EU residents that requires the collection of their personal information are required to comply with the EU General Data Protection Regulation (GDPR).

One aspect of compliance that is of particular relevance to healthcare organizations is the GDPR right to access personal data. Any EU resident has the right to request access to all of their personal data and view any supplemental data attached to their file.

Data subjects are more likely to exercise this right with healthcare organizations that other organizations that hold their data as it is especially important that this information is correct. They may also require the data to pass on to other healthcare organizations.

The rights of data subjects with respect to subject access requests (SARs) are detailed in GDPR Article 15.

The GDPR Right to Access Personal Data

If a data subject chooses to exercise their GDPR right to access personal data, the request must be honored within 30 days.

The data subject is permitted to obtain confirmation about whether his or her personal data are being collected, used, and stored; the types of data involved; the reason for data processing; the categories of person with whom the data have been or will be disclosed; whether those data will be transferred to another country or an international organization; and the length of time that data will be processed or stored. The information can be provided in writing, verbally, or electronically.

Once the right to access has been exercised, other rights then apply, such as the right to request alteration of personal data, erasure of data, the right to be forgotten, and requests for restriction of the processing of personal data.

When copies of data are requested they must be provided and the entity that holds the data is not permitted to charge the data subject for providing access to the information.

If such a request is made electronically, the data must be provided in a commonly used electronic format – Office documents and PDF files for example.

While companies are not permitted to charge for access to personal data, reasonable fees can be charged for providing multiple copies. It is also permissible to request a reasonable fee if any request is deemed to be excessive, such as if a SAR is made too frequently.

Get Prepared for SARs

It is important for healthcare organizations to develop policies that will allow them to respond to SARs promptly. Healthcare organizations need to be aware of all locations where personal data are stored. In contrast to HIPAA, which requires copies of health information to be provided as a data set, all information stored will need to be provided on request.

In addition to being able to obtain those data, a mechanism must be developed that will allow the identity of a data subject to be verified. It is essential that a personal data file is only provided to a person authorized to receive it.

Noncompliance with GDPR

GDPR requirements have been enforceable since May 25, 2018. Any healthcare organization required to comply with GDPR can face massive financial penalties for noncompliance. The maximum penalty for noncompliance is €20 million or 4% of global annual turnover, whichever is the greater.

The post GDPR Right to Access Personal Data appeared first on HIPAA Journal.

Many companies record telephone calls for ‘quality and training purposes’ and to help resolve customer disputes, but since May 25, 2018 GDPR Rules for recording calls must be followed.

GDPR Rules for Recording Calls

Any company, regardless of its location, must comply with GDPR Rules for recording calls if the company has dealings with EU residents.

Call recording can continue under GDPR, as recording telephone conversations is not prohibited, but there are now additional requirements to protect the rights and freedoms of data subjects under GDPR. As with the use of cookies on websites and other forms of data collection, it can only take place if the data subject gives their consent (GDPR Article 7).

Previously, in order to comply with existing regulations, companies would advise people that the calls may be recorded for a particular purpose and consent was obtained when the customer continued with the telephone call. The customer’s silence or lack of action was taken to mean that consent was being provided. However, GDPR Rules for recording telephone calls require consent to be provided by an affirmative action. Silence or inactivity is no longer sufficient.

An unambiguous action is now required, such as pressing a specific key on the telephone or providing verbal consent. A recording of consent should be retained by the company.

GDPR Rules for recording calls involve more than consent. The recording of telephone conversations is only possible if there is a valid and legal reason for that information to be collected.

For all companies, at least one of the following criteria must be met in addition to obtaining consent:

• Recording is required to comply with a contract
• Recording is required to satisfy legal requirements
• Recording is required to protect the interests of one or more participants
• Recording of calls is necessary for safety or is in the public interest
• Recording is in the legitimate interests of the recorder, provided those interests are not overwritten by the interests of the participants in the calls.

Other GDPR Rules for recording calls are detailed below:

Data Protection Requirements

As with all other forms of data collection, call recordings must be stored securely and appropriate security controls applied to prevent stored call data from being accessed by unauthorized individuals. Organizations must conduct a risk analysis to determine the level of risk involved, and apply policies, physical, and technical safeguards to reduce risk to an acceptable level.

Data Retention Rules

Article 5 (e) of the GDPR explains that data can only be retained for the length of time that it is required to fulfil the purpose for which the data were collected. Recital 30 of the GDPR requires time limits to be applied for how long data can be retained. When call recordings are no longer required, data must be disposed of securely.

Right to Access Personal Data

Data subjects have the right to access their personal data (GDPR Article 15), which extends to recordings of telephone calls. If a request is received from a data subject to access their personal data, it is necessary to comply with that request within 30 days. A company must therefore have the ability to be able to search for call recordings and provide copies as necessary.

Right to be Forgotten

A mechanism must be implemented that allows all personal data of an EU subject to be deleted if a request to do so is received from a data subject (GDPR Article 17). When an EU resident exercises their right to be forgotten, all data – including call recordings – must also be deleted, provided that the deletion of such information does not violate state or federal laws and the data are no longer necessary for the purpose for which the information was originally collected. The right to erasure similarly doesn’t apply for the establishment, exercise or defense of legal claims, for archiving purposes in the public interest, or to exercise the right of freedom of expression and information.

If GDPR Rules for recording calls are not followed, stiff financial penalties can be issued. The maximum fine is €20 million or 4% of global annual turnover, whichever is the greater.

The post What are the GDPR Rules for Recording Calls? appeared first on HIPAA Journal.