European Union - General Data Protection Regulation (GDPR)

From Cybersec Standards
Revision as of 05:53, 7 July 2020 by Shan Senanayake (talk | contribs) (When Was This Privacy Law Enacted?)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search


This guidance is based on REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (General Data Protection Regulation)

Who Does This Privacy Law Apply To?

  • All health and social care organizations in the EU are subjected to following the guidelines in the articles on the collection, processing and storage of individual’s data. Over the years, the penalty of non-compliance of the GDPR has become stricter and stringent with increased powers given to the ICO (Information Commissioners Office) under the Data Protection Act of 1998.
  • The GDPR sets standards for consent and notification duties.
  • Consent has been fine-tuned under the GDPR and therefore means- “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” Thus implying- all active processes will have to be put in place for the patient.
  • According to GDPR, it is mandatory for organizations to have a compliance program where six elements of accountability should be implemented with GDPR amenability.
  1. Understand who will be responsible for developing and implementing the program
  2. Conduct a gap analysis of the compliance posture
  3. Establish a timeline for implantation, review and audit.
  4. Raise awareness at the board level of GDPR compliance.
  5. Raise awareness in staff
  6. Ensure GDPR complaint information governance frameworks are in place.
  • The GDPR makes the patient the joint owner of the information and according to Article 20, offers the patient the right of data portability and have a right to transfer data between two data controllers
  • In article 18, the patients also have the right to ask the data controllers and processors to erase their data,

What Data Does This Privacy Law Apply To?

  • The EU GDPR came into effect in May 2018 to extend the rights of individuals concerning the collection and processing of their personal data. The regulation primarily lays down rules relating to the protection of natural persons with how their personal information is processed and rules associated with the free movement of personal data. It permanently protects the fundamental rights- unless there is a movement of data within a union.
  • The regulation applies to the processing of data by automated means or, in essence, a part of the filing system of the organization.
  • In the healthcare industry, organizations need to uphold the integrity of the healthcare data and ensure cyber resilience and business continuity in the event of a data breach.
  • The GDPR consists of three main rules about health data:
  1. ‘Data Concerning Health’ is defined as personal data related to mental or physical health by GDPR.
  2. ‘Genetic Data’ is related to unique genetic data which gives information about the physiology or the health of the natural person.
  3. ‘Biometric Data’ is the personal data resulting from the technical processing of data related to physical, physiological or behavioural characteristics of a natural person which allow or confirm the unique identification personal data such as facial images.
  • The policy does not apply to the processing of personal data if:
  1. The course of the activity falls outside the union law
  2. By a natural person in the course of purely personal or household activity
  3. By competent authorities who can only use the data for the safeguard and protection of the common public
  • Healthcare organizations are required to respond to patient access requests in a shorter 30-day deadline as opposed to 40 days previously.
  • In Article 33 and 34, data controllers must report any breaches in data to the supervisory authority within 72 hours. If the data breach is highly risky, they are also responsible for informing the patients.
  • Document a legal basis for each processing activity identified through a data audit and data flow mapping.
  • The most common lawful bases for processing in health and social care are likely to be:
  1. Article 6(1e) – Necessary for the performance of a task carried out in the public interest or the exercise of official authority vested in the controller.
  2. Article 9(2h) – Necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services.

When Was This Privacy Law Enacted?

The General Data Protection Regulation is applicable as of May 25th, 2018 in all EU Member States.

Where Does This Privacy Law Have Jurisdiction?

  • GDPR will bound anyone in the European Union who controls data or undertakes collection.
  • The GDPR is thus applicable to 28 EU member nations.
  • GDPR also extends protection beyond organizations based in the EU, including U.S based healthcare organizations that offer goods and services to individuals in the EU or monitor the behaviour of EU individuals.

How Must Data Be Protected?

As stated in Article 7, all patients need to be informed of the risks associated with their personal data being collected in simple, plain and understandable language.

  • In Article 13, it is stated that the data collector also has to ensure that he says whether the information being collected is by law or contract or a necessary condition to enter into a contract and whether the patient must provide the relevant data and the potential consequences if the patient refuses to provide said data.
  • According to Article 12, 13 and 14, the GDPR, advocates usage of short text and standardized icons to aid immediate awareness of data processing.
  • To enhance transparency, DPIA (data protection and impact assessment) where all data collectors at the healthcare facility have to first carry out DPIA before processing sensitive information.
  • Provisions in Articles 12, 13, 22 and 29 primarily aim at clarifying decisions made by automated processing to the patient- profile, logic and consequences.
  • In Article 5, GDPR also introduces cybersecurity provisions for patient protection and gives the general principle of integrity and confidentiality.

OWASP-Recommended Security Controls:

Access Control

  • If state data must be stored on the client, use encryption and integrity checking on the server side to catch state tampering

Data Integrity

  • Securely implement transaction authorization to protect the transaction integrity

Data Protection

  • Implement least privilege, restrict users to only the functionality, data and system information that is required to perform their tasks

UK Information Commissioner’s Office-Recommended Security Controls:

Data Protection Impact Assessment (DPIA)

How Long Can Data Be Retained Under This Privacy Law?

COVID-19 Apps In This Region

External Links