Agenda
• GDPR Basics• Key Changes from Data Protection Directive• “Special Categories”• Consent Conditions and Elements• HIPAA and GDPR: Key Differences• Determining Whether Your Organization
Needs to Comply
2
General Data Protection Regulation (GDPR)1 Basics
• Replaces Data Protection Directive 95/46/EC and aims to harmonize data privacy laws across Europe
• Enforcement begins in two days – May 25, 2018• Consumer-centric regulation – focuses on “controllers”
(person or entity that determines the purposes and means of processing personal data) and “processors” (person or entity that processes* personal data on behalf of the controller)
• Protects the rights of EU citizens regardless of their location, and the “free movement” of data within the EU
3
* Includes automated, semi-automated, and manual** Actually “natural persons” or “data subjects”
Key Changes from Data Protection Directive2 (1 of 2)
• Expanded territorial scope - applies to all entities collecting or processing the personal data of EU citizens, regardless of the entity’s location
• Increased penalties for non-compliance with key provisions, up to 4% global annual turnover
• Stronger conditions for consent - clear and plain language, specification of purpose; as easy to withdraw consent as it is to give it
• Breach notification within 72 hours• Right for data subjects to obtain from controller
whether personal data are being processed, where and for what purpose, and to obtain copy
4
Key Changes from Data Protection Directive (2 of 2)
• Right to be forgotten – a.k.a. Data Erasure, the right for the data subject to have her personal data removed from a system and to have third parties halt processing of the data
• Data portability – analogous to HIPAA’s “view, download, and transmit (VDT)”
• ”Privacy by design” – built into system from the outset• Data Protection Officers – change from external
reporting to internal record keeping• New requirements that seem to target cloud
computing and big-data analytics
5
“Special Categories” of Information
• “Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited” [Article 9] unless…
6
Relevant “Special Category” Exceptions
• (a) Data subject has given explicit consent [to process special category of information] for defined purposes
• (j) Processing is necessary for … scientific or historical research purposes … shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
7
Processing of “Special Categories”
• Processing ”special categories” (e.g., health, genetic information) requires:
1. Processing must be lawful (Article 6)
+2. At least one of the exceptions specified in Article
9 must apply
8
Lawfulness of ProcessingProcessing is “lawful” if at least one of the following applies:1. Data subject has given consent to processing
for one or more specific purposes; OR2. Processing is necessary for one of 5 reasons
relating to contractual or legal compliance, vital interests of the subject, public-interest, or controller-interests
9
“Explicit” Consent
• When processing “special categories” of information
• When personal information is used in automated individual decision-making, such as profiling
• Data transfers to third countries or international organizations
10
The GDPR Consent Guidelines seem to be saying that “broad” consent is sufficient under Article 6 (lawfulness) but that “explicit” consent is required for these special cases
Explicit consent is required in certain situations where serious data protection risks emerge, hence, where a high level of individual control over personal data is deemed appropriate (GDPR consent guidelines WP29, December 2017
Consent Conditions
• Clear explanation of processing consenting to• Genuinely, voluntarily “opt-in”• Consent withdrawal must be as easy as giving
consent• Organization does not rely on silence or
inactivity as “consent” (e.g., pre-ticked boxes do not constitute valid consent)
11
Elements in Consent To Collect (1 of 2)
1. Identity and contact information for controller2. Contact for Data Protection Officer3. Purposes for processing4. Categories of data 5. When applicable, legitimate interest of controller
for which data are needed6. Recipients7. Where applicable, controller’s plan to transfer data
to a third country or international organization
13
Implications for use of cloud computing
Elements in Consent To Collect (2 of 2)
8. Period of time data will be stored
9. Right to request correction or erasure
10. Right to withdraw consent
11. Right to lodge a complaint
12. Source of personal data
13. Existence of automated decision-making, including
profiling, logic involved, and potential
consequences for subject
14
Targeting “big data” analytics
HIPAA and GDPR: Key Differences
15
Topic HIPAA GDPRRelevant data Identifiable health information Personally identifiable data
Who must comply
Covered entities and business associates
Entities that collect or process personal data of EU citizens
Consent Requires patient authorization for access, use and exchange other than treatment, payment, healthcare operations; with public health/safety/legal exceptions
Requires consent for collection and processing, with contractual/legal/public-interest exceptions
Research Permits disclosure for activities preparatory to research
Use of personal data for research requires consent; no exception for “preparatory to research”
Breach Notification
Within 60 days Within 72 hours
HIPAA and GDPR: Key Differences
16
Topic HIPAA GDPRDe-identification
Specifies methods for de-identifying protected health information
Excludes “anonymized” data, but does not specify anonymization method
“Special categories” requiring explicit consent
Only “special category” is psychotherapy notes –requires authorization for use or disclosure, with some TPO exceptions
“Special categories” include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life, or sexual orientation – processing is prohibited without individual’s explicit consent or applicable exception
Collection authorization
Covered in Notice of Privacy Practices
Specific consent required to collect personal data
Broad vs. “explicit” consent
Simple “authorization” Consent required for “lawful processing” refers to all personal data; “explicit” consent required for “special categories”
HIPAA and GDPR: Key Differences
17
Topic HIPAA GDPRConsent Specifies core
elements of patient
authorization
Specifies elements of consent for collection,
but not processing. Consent must be in
plain, understandable language.
“Right to be
forgotten”
No requirement Erasure upon request – includes production
systems, archived files
Control over
processing
No requirement Right to object to processing
Propagation of
changes
No requirement When data are corrected, erased, or
processing restricted, controller must notify
other controllers with whom data have been
shared
Profiling No requirement Right not to be subject to a decision based
solely on automated processing, including
profiling, which produces legal or other
significant effects. Exceptions are N/A if
“special categories” of information are used.
Do You Need to Comply with GDPR?3
1. Do you have people from the EU on your email or mailing list, or in your contacts database?
2. Do you have forms that enable users to enter a non-US address or specify that they’re from another country?
3. Do you have purchase or donation forms that allow people to pay using European currency?
18
Yes No
Yes No
Yes No
If You Answered “Yes”
• Conduct a high-level review of the EU data you hold
• Assess whether the value of your EU data justifies the cost of modifying systems and operations to attain GDPR compliance – If so, hire an attorney and implementer with GDPR
expertise to help you plan for compliance– If not, delete all of the EU data you hold in your
systems and back-ups; and modify your forms to clarify that you are not soliciting EU customers, participants, or contributors
19
References
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council. Apr 27, 2016. Available from https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN (accessed 4/20/18)
[2] EUGDPR.org. GDPR Key Changes. Available from https://www.eugdpr.org/key-changes.html (accessed 4/24/18)
[3] Medium. GDPR for US Not-for-Profits: What you need to know. Available from https://medium.com/@forward_action/gdpr-for-us-not-for-profits-what-you-need-to-know-4cfee1a1b8e3 (accessed 5/23/18)
21