United States: General Data Protection Regulation: What It Means For Us Healthcare/Life Science Companies

Last Updated: September 4 2017
Article by Catherine Muyl and Marion Cavalier

The clock is ticking: on May 25, 2018, in less than a year from now, the General Data Protection Regulation (“the GDPR”) will apply in all Member States of the European Union (“EU”) and will replace the Directive 95/46/CE (“the Directive”).

The purpose of the Directive was to protect the personal data of individuals to an extent that may seem surprising from a US point of view. The new regulation goes even further, since it is presented as “an essential step to strengthen citizens' fundamental rights in the digital age.”

The GDPR is, as its title indicates, a “general” regulation which applies to the collecting and processing of personal data by all kinds of entities in all activities, including in the healthcare/life science sectors, whereas the US has a “sectorial approach” of data protection and a specific act (HIPAA) for health information.

The purpose of this post is to provide a summary of some of the GDPR features that are likely to have the most substantial impact on healthcare/life science related businesses.

Why You Can’t Ignore the GDPR

Healthcare/life science companies in the EU are already very much attuned to personal data protection as they handle sensitive data such as patients’ details and clinical trials subjects’ details. Adapting to the GDPR should be relatively easy for them.

Extra Territorial Effect 

On the other hand, one of the major impact of the GDPR is that it extends the application of European legislation to companies outside the EU. Basically, the Directive only applied to organizations established within the EU or which used equipment within the EU, but not to organizations established outside the EU even if they were conducting activities in Europe.

The GDPR has a much broader scope: it will apply to organizations established outside the EU that offer goods or services to individuals in the EU and/or monitor the behavior of data subjects within the EU (Article 3). In other words, even a US company will have to comply with the GDPR if it targets European consumers or monitors any personal data on European citizens.

Some US healthcare/life science companies not affected by the Directive will now have to comply with the GDPR. They may already have some familiarity with EU data protection rules, due to the requirements for data transfers outside the EU (i.e., the EU-US Privacy Shield or other tools, see below) if they received, for example, personal information collected in the course of clinical trials from a CRO established in the EU. However, the requirements will be more stringent once they are directly subject to European rules.

Data Transfer Outside the EU

The GDPR maintains the same requirements for data transfers outside the EU. Such transfers occur, for example, when persons located in the US have access to data stored in the EU. When personal data collected in the EU is transferred to the US a country which, from a European point of view, ‎does not afford an adequate level of protection, important restrictions apply. Such transfer is forbidden except if the data exporter has taken certain precautions such as:

Increased Sanctions

The GDPR considerably increases the sanctions and penalties in the event of non-compliance. Under the Directive, sanctions were left up to the Member States, which led to discrepancies. For example, in the UK, the maximum fine is currently £500,000, whereas in France, it was until recently 150,000€. Under the GDPR, the maximum amount of financial sanctions is harmonized and increased up to 4% of the total worldwide annual turnover or 20 million euros, whichever is the greater (Article 83). Given this change, compliance with the GDPR should be taken all the more seriously.

New General Features of the GDPR

Some of the GDPR general features may be of particular interest for companies in the healthcare/life science sectors.

One Stop Shop

Until now, groups of companies established in Europe had to deal with as many Data Protection Authorities as countries where they were operating. The GDPR set up the so-called one-stop shop mechanism, which is aimed at simplifying the life of businesses. Indeed, a company established in more than one Member State will have to indicate its main establishment to the Supervisory Authority (formerly called Data Protection Authority) where its main establishment is located and will be in touch with such sole Supervisory Authority, called the “Lead Supervisory Authority”, for all its data protection issues in Europe (Article 56).

For the data controller (i.e., the entity that makes the decisions), the main establishment should be the place where the decisions on the purposes and means of the processing of personal data are taken. For the data processor (i.e., the entity that processes the data on behalf of someone else), the main establishment should be the place of its central administration in the EU. This is clearly a more business-friendly provision.

On the other hand, European citizens will be allowed to lodge a complaint not only with the Lead Supervisory Authority designated by the data controller but with the Supervisory Authority in any Member State. The idea behind that is to provide individuals with effective means of redress.

In practice for example, a US healthcare/life science company that has its European headquarters in France will have to deal with the French Supervisory Authority for general data protection matters, but individuals could sue it in the courts of their own Member State.

Appointment of Data Protection Officers (“DPOs”)

It is now mandatory for companies to appoint a DPO where its core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or processing on a large scale of sensitive data (Section 4).

The GDPR does not define what constitutes a processing on a large scale, but the Article 29 Working Party (the “WP29”) issued useful guidelines on DPOs. According to the WP29, it is not possible to give a precise number, though it recommends that the following factors be considered:

  • The number of data subjects concerned – either as a specific number or as a proportion of the relevant population
  • The volume of data and/or the range of different data items being processed
  • The duration, or permanence, of the data processing activity
  • The geographical extent of the processing activity

For example, according to the WP29, the processing of patient data in the regular course of business by a hospital is “large scale” but the processing of patient data by an individual physician is not.

Concerning the responsibilities of DPOs, at a minimum they include: informing the company and its employees on their obligations with respect to data protection law, monitoring the company’s compliance, monitoring privacy impact assessments, cooperating with supervisory authorities and handling data subjects’ inquiries.

A DPO may be appointed within the company and carry out other tasks as well (as long as there are no conflicts of interest), but the GDPR requires that DPOs must perform their duties and tasks in an independent manner and with a sufficient degree of autonomy. It means that DPOs must not be instructed how to deal with a matter or whether to consult the Supervisory Authority.

Data Breach Notification

The GDPR introduces a new obligation for companies to notify data breaches to the appropriate Supervisory Authority within 72 hours. And the notification must be documented. Companies will also have to notify the data breaches in question to the affected individuals without undue delay “when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons” (Article 34).

This “high risk” is not defined in the GDPR. In our opinion, it will have to be assessed in a case by case basis and the sensitivity of the personal data should be taken into account.

Data Protection Impact Assessment (DPIA)

A DPIA is a process designed to describe the processing of personal data, assess the necessity and proportionality of a processing and to help manage the risks to the rights and freedoms of individuals resulting from the processing.

These assessments are mandatory where a type of processing is likely to result in a high risk to the rights and freedoms of individuals. In particular, it must be carried out where personal data processing involves a “the processing on a large scale of [sensitive data] i.e. including health data (Article 35).

This new obligation is worth mentioning because it will most likely become a frequent task for those healthcare/life science companies which process a large amount of health data. It may become a heavy process that they should prepare for.

GDPR Features that Apply Specifically to the Healthcare/Life Science Sectors

Even though the GDPR is a general regulation, some provisions are expressly addressing the specificities of the processing of personal data in the healthcare/life science sectors.

Specific Categories of Personal Data Relating to Health

There was no definition of health data in the Directive. Now, the GDPR defines “data concerning health” as “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status” (Article 4).

The core rules on the processing of health data remain basically the same as in the Directive:

  • Health related data qualifies as sensitive data as well as genetic and biometric data (two new notions that were introduced by the GDPR)
  • The processing of sensitive data is in principle prohibited
  • Exceptions are listed, lawful grounds allowing the processing of such data (for example explicit consent)

Exemptions for Scientific Research

The GDPR provides exemptions to organizations that process personal data for scientific research purposes as long as they implement appropriate safeguards which include “technical and organizational measures to ensure data minimization”, like for example pseudoanonymization (Article 89).

In particular, the GDPR establishes three data subject’s rights:

  • The right to information under which data subjects have the right to be provided with information on the identity of the controller, the contact details of the DPO (where applicable), the reasons for processing their personal data and other relevant information necessary to ensure the fair and transparent processing of personal data.
  • The right to object to the processing under which data subjects have the right to object, on grounds relating to their particular situation, to the processing of personal data, where the basis for that processing is either public interest or legitimate interests of the controller. In case of such objection, the GDPR provides that the controller shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
  • The right to erasure of personal data (also called “right to be forgotten”) under which data subjects have the right to obtain from the controller the erasure of their personal data without undue delay in some situations such as: if the personal data are no longer necessary or if the data subject withdraws his or her consent (and the only lawful basis for the processing was such consent).

However, organizations that process personal data for scientific research purposes may in certain circumstances override those rights:

  • Regarding the right to information and access (where personal data have not been obtained directly from the data subject) if the provision of information involves a disproportionate effort;
  • Regarding the right to object to the processing if it is likely to render impossible or seriously impart the achievement of the objectives of that processing;
  • And regarding the right to be forgotten if the processing is necessary for the performance of a task carried out for reasons of public interest.

As regards consent, the GDPR also provides a breathing space for research activities that will certainly be useful. It recognizes that it is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Therefore, data subjects will be allowed to give their consent to certain areas of research or parts of research projects when in keeping with recognized ethical standards for scientific research.

Unfortunately, it is still uncertain what “scientific research” really means. There is only a broad definition of research in the GDPR that encompasses the activities of public and private entities but is unclear exactly how far the GDPR’s research exemption will extend, in particular as regards research activities with a commercial goal. Concerning its application to clinical trials, one of the Recitals of the Regulation states that the processing of personal data for scientific purposes should also comply with other relevant legislation such as that applicable to clinical trials.

Conclusion

To summarize, for healthcare/life science companies that are already compliant with the Directive, it will not be a huge effort to comply with GDPR, but the effort is worth making, if for no other reason than to avoid the increased penalties.

On the other hand, for US companies that were not subject to the Directive before, the process for getting compliant by May 2018 will be more complicated, in particular because the US and the EU do not have the same approach of personal data protection and there will be a privacy “cultural gap” to overcome. However, healthcare/life science companies are used to operating in a regulated environment and the new rules will mean mainly more work for those in charge of regulatory or compliance areas.

We have highlighted above some of the GDPR rules that should be of particular interest for healthcare/life science companies. Of course, it is not an exhaustive summary and we advise companies, in particular those which were not subject to the Directive but will be to the GDPR, to conduct a concrete compliance assessment taking into account their own specificities and needs.

Businesses in the healthcare/life science sectors will also be well-advised to maintain a vigilance on potential domestic Member States’ legislation that could affect them. Indeed, the GDPR provides that Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
Wilson Elser Moskowitz Edelman & Dicker LLP
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Wilson Elser Moskowitz Edelman & Dicker LLP
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions