As well as being a key target for cybercriminals, the healthcare industry is also one where so much personal data passes through so many hands, that even simple human error carries an incredibly high risk. But how can medical organisations deal with their new data protection responsibilities under the GDPR?
The Register reported in June last year that the UK healthcare sector accounted for 43% of data breaches, suffering 2,447 breaches between the start of 2014 and the end of 2016. In just the first half of last year, the UK lost more than 28 million data records to hackers. 26 million of those were lost in a single incident suffered by the NHS.
And it’s not just the UK — across the pond, the US Department of Health and Human Services is currently investigating no less than 389 data breaches reported within the last two years, with one unauthorised disclosure affecting more than half a million people’s personal data and some of the US’s largest hacking breaches rising to more than 10 million.
The General Data Protection Regulation (GDPR), which will be in effect from the end of May this year, represents the largest shake-up in data privacy legislation across Europe in two decades, and places a significant compliance burden upon organisations large and small, preferring a risk-based approach to data protection, and bringing heavy financial penalties to those who fall short of their responsibilities.
The GDPR isn’t confined to large businesses and government healthcare organisations, but apploes equally to small and medium sized businesses, for example those offering medical research, private ambulance services and even non-profits.
One key obligation introduced under the GDPR is the requirement to appoint a Data Protection Officer, or DPO. For healthcare organisations, the requirement to appoint a DPO will apply if processing health data ‘on a lage scale’, which the Article 29 Working Party has indicated would include processing at a regional, national or supranational level, but would not, for example, extend to an indicidual doctor’s processing with regard to his or her patients.
Clearly there are some grey areas, and with a DPO salary averaging £62k, smaller firms and non-profits could be forgiven for thinking the market has priced them out, but facing huge fines from the regulator is hardly an alternative. The key to the risk-based approach is adequate documentation of your justification for following a certain policy or procedure, keeping good administrative records, and ensuring that personnel remain aware of the policies and procedures, and of course follow them.
Though it may seem overly simplistic, that really is the fundamental truth of GDPR compliance. The nuances of each organisation’s compliance programme, and specific problem solving are where professional expertise offers a significant differentiation from a do-it-yourself approach, and can help organisations with complex or significant processing activities to become and remain compliant.
Privada offers businesses and non-profits in the healthcare sector the opportunity to outsource their compliance management and the DPO role, as well as providing a range of services to assist organisations in any industry.