The application of the new General Data Protection Regulation this past May 25th entails a new obstacle for all types of companies within or outside of the European Union. Nevertheless, there are sectors that are sensitive to the changes that the regulation brings due to the nature of the data managed within their activity. One of them is certainly the sector that concerns all healthcare centers. This is why PONS IP held a work session about the new GDPR applied to health sector on May 23rd, in collaboration with the Innovation and Health Prospective Foundation in Spain (FIPSE).
In this article, we highlight the key topics discussed in the work session regarding our intervention by experts: our Managing Director, Nuria Marcos; José Carlos Erdozain, Head of the Legal Department; and Alfonso Beltrán director of the FIPSE foundation.
- In 2022, the European Commission expects to have access to a million sequenced genomes and, in 2024 to ten million. For this reason, experts consider the harmonization of personal data protection of research and health centers a priority.
- The new GDPR marked a new turning point in regards to civil awareness about the use of data by third parties; as well as to business education, that is now to be directed towards a larger responsibility role concerning the treatment of data under the proactivity principle.
- According to article 9 of the GDPR, the personal data of patients related to their wellbeing will be automatically framed in the special protection category.
- All health professionals and medical researchers must be aware of several aspects introduced by the GDPR, such as consent (it must be always expressed, affirmative, clear, and provable), the importance of its renewal, auditing, impact and risk evaluation to which they must their institutions should submit to, security and data confidentiality, as well as the right to be forgotten.
- In regards to the way consent is obtained, institutions that work in the health industry are required to keep a very strict procedure to collect such consent and guarantee that it is express.
- Even after this special protection, some obstacles still exist in comparison to the previous period. The strict implementation of the regulation is balanced by a series of exceptions intended for the special details that concern the healthcare field, which enable some flexibility in the application of the GDPR. The exceptions only refer to the consent required for particular purposes, like preventive actions for public health or the treatment of data that follows an immediate risk to the health of an ill person.
- Likewise, the required international health assistance can also exempt the formal tasks compliance regarding legislation. This refers to, for example, the possibility to provide information to a public administration in order for it to facilitate health services to a patient in a member state of the European Union.
- Another essential aspect of the new GDPR is the existence of a new figure: The Data Protection Officer (DPO). In the case of health centers, the Regulation and the Bill of Incorporation, require the designation of this officer. Health centers treat data considered sensitive, and also have the power to process it on a higher scale and volume. Nonetheless, the new GDPR specifies that a medical consult or clinic staffed with a single specialist will not be required to name an Officer.
- The security of any type of personal data that concerns health is essential. The new GDPR reinforces the need to ensure confidentiality as well as the security of personal data with codes, data minimization, continuous backups, and the resilient system capacity against cyber-attacks.