By Aris Medical Solutions
You may have already heard about the GDPR (General Data Protection Regulation) from the EU (European Union) that will affect many organizations here in the United States.
Our personal information has been being sold for years. Some with and some without our knowledge. Many organizations require a person to “accept” their terms and conditions with long legal agreements that we must agree to before using their software, joining their network, or downloading an app to name a few. Most people do not read this very important disclosure because it is simply too long and too legal. They collect data from us in order to enter a sweepstakes, win a prize, or simply to gain access to a forum. This information can be sold to other organizations so they can market their good and services to us. I will be explaining in my next notification how to poison this information and make it useless. For now we need to concentrate on how to understand this new regulation.
With the GDPR from the EU becoming effect May 25, 2018, organizations must become compliant by May 25, 2018.
Here is a basic summary of what you need to know:
- Organizations that provide goods or services to anyone located within the European Union regardless of where the company is located must adhere to this new regulation. This also includes companies that process and store personal data of an EU citizen. This is similar to our individual state laws we currently have in the United States.
- Personal data is anything that can be used to identify a person, directly or indirectly. This includes name, photo, email address, bank details, medical information, computer IP address, and even posts on social media.
- You must have clear full consent to use a person’s information. No lengthy vague legal forms; just clear plain language. Nothing short of an opt-in will be acceptable.
- Just like HIPAA, there is a tiered sanction policy. Organizations can be fined up to 4% of annual global income for breaching the GDPR. This is for severe violators. Organizations can be fined up to 2% for not having their records in order, not notifying a supervising authority, not notifying the person that is affected by a data breach, or not conducting an impact assessment.
- These rules will apply to both cloud data controllers and processors and will not be exempt from GDPR enforcement.
- Data breaches must be reported within 72 hours.
What do you need to do to prepare:
- Review your client/patient database.
- Do you have any european clients/patients?
- Review where all of your data is stored.
- Do you use a cloud system?
- Do you have a BA agreement in place with the data processor/center?
- Update your breach notification plan.
For more information on the GDPR: https://www.eugdpr.org/
For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467.
“Protecting Organizations through Partnership, Education, and Support”