GDPR The New Data Protection Law coming into effect May 2018. What does it mean for hospitals?

Editor's Notes

• #6: PRIVACY PRINCIPLES FOR THE HEALTHCARE PROVIDER  The changes to data protection rules are not revolutionary – the key principles, remain in place but with many new requirements Some Remain Consistent with the Directive 95/46/CE Lawfulness, fairness and transparency Personal data must be processed lawfully, fairly, and in a transparent manner Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Data minimization Personal data must be adequate, relevant and limited to those which are necessary Accuracy Personal data must be accurate and, where necessary, kept up to date; Storage limitation they should be kept for no longer than is necessary Integrity and confidentiality appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
• #7: new rights for the individual Erasure •Rectification •Data Portability and data sharing/ stating that the data subject has the right to receive their data in an appropriate format without hindrance and for data to be transferred between data controllers where technically feasible •Restricted Automated decisions and profiling • Objection to direct marketing • Claim of compensation from the data controller or processor for damage suffered ■ member states should enact local laws providing criminal sanctions for a breach of the GDPR. ■ Claims or complaints may be made by not-for-profit bodies, organisations or associations. ■ on behalf of a group of data subjects
• #8: The obligation to keep an internal register ,a record of all data processing activities. available for inspection to the supervisory authority upon request. The appointment of a data protection officer (DPO) The obligation to carry out privacy risk impact assessments DPIA New data breach notification requirements Requirement to apply Privacy by design and by Default, Appropriate Documentation maintaining a clear written record of all data operations Monitoring and verifying compliance regular audit Consent necessary to process children’s data Changes to the rules for obtaining valid consent Heavy Fines for controller and PROCESSOR Under the GDPR, the maximum amount of financial sanctions is harmonized and increased up to 4% of the total worldwide annual turnover or 20 million euros, whichever is the greater
• #9: AS A FIRST STEP΄¨ ADVISE MEMBERS OF THE BOARD TO ASSIGN RESPONSIBILITY AND BUDGET FOR DATA PROTECTION COMPLIANCE WITHIN YOUR HOSPITAL You should ask them Are YOU investing appropriately in protecting our network, computing devices, Internet-connected devices and data relevant to their value and criticality to the operation of our hospital?   Do YOU consider cyber security a part of our overall strategic and operational business decisions? The five principles of the Boards responsibility by The National Association of Corporate Directors concerning cyber security : PRINCIPLE 1: Directors need to understand and approach cyber security as an enterprisewide risk-management issue, not just an IT issue. PRINCIPLE 2: Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances. PRINCIPLE 3: Boards should have adequate access to cyber security expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda. PRINCIPLE 4: Directors should set the expectation that management will establish an enterprise-wide, cyber-risk management framework with adequate staffing and budget. PRINCIPLE 5: Board discussion of cyber risk management should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach. The board should Develop an implement governance framework, The Dpo should proposE, design and implement solutions that protect access and align to business growth Objectives Then you should help them build a culture of privacy through awareness programs
• #10:  As you can see there s a direct line of communication with the board, subjects and authorities. The DPO should involve key persons and make a supporting Team . Those usually are ΙΤ-cio ATTENDS processes pertaining to data security, availability and confidentiality and ensure that they are well documented, DR systems. a breach of data security,  -CROs- The head of risk perhaps the most important person within an organisation in ensuring that GDPR compliance is maintained. s will be responsible for setting compliance frameworks and audits, interpreting the GDPR and assessing risk,  HR . Because as a DPO you have to protect the staff as well, and treat employees as personal data subjects What kind of personal data and sensitive p data do u keep? Do you obtain consent and is it valid under GDPR? how long do you keep them?  Legal AND COMPLIANCE . How they should deal with a request, or multiple concurrent requests for provision of p.d ? Is your answer within GDPR deadline? Is there a documented process? Review of all contracts  Procurement Are there sub-contractors processing pd on your behalf? Do they take all safety measures to protect pd? Do they meet the GDPR requirements?  
• #11: CREATE DATA MAPPING you need to discover and classify P.D What & where is it? Understand and document where Personal Data is stored and processed, including with/by 3rd parties Why it matters: • Hospitals like any other organization need to understand what data they hold and process to assess risk and design adequate controls • are necessary to support Data Portability,Right of Access, CONDUCT RISK ANALYSIS AND DATA PROTECTION IMPACT ASSESSMENTS Identify significant risks and areas which require immediate action to help you better manage risk The Data Protection Impact Assessments include assessing risks, ‘including safeguards, security measures and mechanisms to ensure the protection of personal data and demonstrate compliance with this regulation  RUN A GDPR COMPLIANCE GAP ANALYSIS - ACCESS YOURSELF to identify areas of most material noncompliance and to priorities mitigating steps, especially in relation to high risk processing activities  Assess yourself in the areas of consent and marketing.  Assess your compliance with data protection in the specific areas of information security policy and risk, mobile working, removable media, access controls and malware protection.  include physical security processes assess the compliance of your CCTV including the installation, management, operation, and public awareness and signage. Implement technical and organizational security measures appropriate to the risks presented The only technical controls mentioned in GDPR are encryption and pseudonymisation (de-identifying datawith a mechanism to re-identify if necessary) Clients may not need to notify data subjects about a breach if the personal data has been rendered “unintelligible to any person who is not authorised to access it, such as encryption”.
• #12: Records management Develop records management policy and procedures When storing physical records, make sure they're secure in rest and in motion Outsourcing Records inventories Tracking and off-site storage Security and disposal of data Business continuity Record creation, storage and disposal, access, tracking and off-site storage.
• #13: training process and awareness programs staff handbooks training material  key vendor contracts Third-party risk there are also significant risks which can and should be minimized through appropriate contractual clauses, as well as  by conducting due diligence on third party vendors, to ensure that those operating on behalf of your organization ( partners and service providers) are capable of operating in compliance with the GDPR. Audit existing supplier arrangements and update template RFP and procurement contracts  8. Consent of data subjects - • should be explicit It has to be opt in , not opt out and no response means no consent. Consent must also now be separable from other written agreements, is given before data is processed and should be as easily revoked as given. data subjects are informed that they have the right to withdraw consent at any time but that this will not affect the lawfulness of processing based on consent before its withdrawal; Consent is not the only legal basis for processing personal data though. When there is a legitimate interest involved, consent is given after the processing and even if the subject objects, the processing doesn’t stop.  9. Notifications to data subjects & data subject’s right to access, modify, delete, transfer data  The controller is obliged to respond to requests from the data subject without undue delay and at the latest within one month and to give reasons where the controller does not intend to comply with any such requests.  Determine if you work in a sector where exemptions are ………. By a EU member’s National legislation
• #14: Focus on Preparedness for the inevitable YOUR INCIDENT RESPONSE PLAN to a malware attack: at first you should access the extention of the damage, in order to see if you can contain the attack and stop the spreading of the malware . Then triage question should be answered, like Whats affected, who did it, how did it happen, is it ongoing or an isolated incident .how critical is it, etc. There was a huge dbate about wether a ransomeware attack qualifies as a reportable breach incident. The conclusion was that YES A RANSOMEWARE ATTACK is a Reportable breach, but because every situation is fact based , there are few limited exceptions. Like Australian authorities already did, they will be guiding lines or mandatory provisions about when a data breach is always reportable. After a Data breach report, the regulators will examine
• #15: 14