EU GDPR Deadline Approaching
Author: Jan Hertzberg
Does your hospital need to comply with the European Union (EU) General Data Protection Regulation (GDPR)? If you have ever collected information about a patient, volunteer or employee from the EU, the answer could be yes.
The GDPR is designed to harmonize current EU personal data privacy protection laws and reshape the way organizations approach data privacy. GDPR enforcement begins May 25, 2018.
While the GDPR only applies to EU residents, the disparate nature of data at most health care providers with international affiliations means its reach isn’t limited to a single location.
Preparing for the GDPR will require creating a cross-functional team that will focus on the following steps:
- Discovery – Identify high-risk areas for a focused approach. Organizations will take steps to understand what GDPR personal data they hold, where it’s stored, who the data is shared with and what controls govern its use. In addition, they need to map the data to in-scope business processes.
Remember, in-scope data not only includes names, addresses, email addresses, passport numbers, etc., but also includes digital identifiers. These data types may include IP addresses (static and dynamic), MAC addresses, cookies, International Mobile Equipment IDs (IMEI), etc.
- Data Protection Impact Assessment (DPIA) – Review the organization’s data privacy policies and procedures as well as assess current data privacy controls against the GDPR requirements through walkthroughs and system inspections.
- Compliance Remediation – Organizations will need to develop a plan to mitigate risks and identify technology and processes to implement “Privacy by Design” and draft/redraft privacy policies and procedures. The GDPR now requires that data subjects are notified no later than 72 hours after detecting a breach. Organizations will need to implement and practice robust incident response plans on a regular basis.
- Ongoing – Develop a GDPR compliance program and, if necessary, identify a data privacy officer to help make employees aware of their requirements, monitor compliance and track/resolve any remediation issues.
BKD’s IT Risk Services division is dedicated to helping health care providers become GDPR-compliant. Contact Jan or your trusted BKD advisor with questions.