The introduction, on May 25th 2018, of the General Data Protection Regulation (GDPR) presents a particular challenge for the life science community. The regulation is being implemented to better protect the privacy of consumers data and, as such, there is a concern from within industry that it will stifle developments in medical science. Nevertheless, the topic is one that all professionals within the life sciences sector need to be fully aware of as we move towards the implementation of the new regulation. In this overview, written by Acorn Regulatory’s Quality Systems Specialist Mandy Cashman we look at the main issues relating to GDPR from the perspective of the consumer and the client.
GDPR – What does it mean?
GDPR stands for the General Data Protection Regulation (Regulation (EU) 2016/679). This is a new data protection regulation that will come into force on 25th May 2018, and is being introduced into the EU by the European Parliament, the Council of the European Union and the European Commission, to protect the consumers rights when it comes to the privacy and security of their personal data.
The GDPR will replace the 1995 EU Directive on Data Protection (Directive 95/46/EC), and will operate as a new single data protection law for the EU. A supplement is available which was published by the Department of Justice and Equality in May 2017.
1. GDPR – Why is it needed?
As technology progresses, and as companies increase their use of social media for networking and to efficiently commercialise their operations, digital information is continuously being created about people’s personal identification.
Because of the emphasis from regulatory authorities on privacy and breaching of data rights, and as a result of cyber hacking and sharing of sensitive data, consumers are becoming more aware of the need to have control over their personal information.
Therefore, the purpose of the General Data Protection Regulation (GDPR) is to protect the consumers privacy when it comes to the security and sharing of personal and sensitive data.
2. What is meant by personal or sensitive data?
Personal or sensitive data can be any type of information that can identify an individual person, such as; name, date of birth, address, mobile phone data, browsing history, IP address, images, financial information, health information, ethnicity, political or religious beliefs, an ID number, or any other type of identifiable information.
3. What does GDPR mean for me as an individual?
The new data protection law will enable consumers to have greater control of personal information collected and processed by various organisations http://gdprandyou.ie/gdpr-for-individuals/
As an individual, you will have the ability to:
- Find out how your data is processed
- Obtain copies of personal data on hold by a company
- Have data corrected where found to be inaccurate
- Have data erased if a company has your data for no particular reason
- Have your data transferred to another organisation
- Can object to the processing of your data
- Can be exempt from automated decision making
There are some exceptions to the right of the consumer when requesting access to personal information, which have been identified by the Data Protection Commissioner at this link.
Section 5 of the GDPR document for ‘How will access requests change’ states that it will also be mandatory for organisations to ensure that your request is concluded within one month at the latest.
4. Does your company need to comply with the new GDPR Regulation?
If your company monitors, processes or shares personal data that belongs to people within the EU, or if your company is an established data controller or processer within the EU, then Yes, the new GDPR regulation will apply to you.
If your company transfers information to a country outside of the European Economic Area, also known as a ‘third country’ under EU regulations, then additional measures must be taken to ensure that there is an adequate level of data protection. The EU Commission have already approved some third countries such as; Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (limited to the Privacy Shield Framework.
However if your third country has not been approved, then a contractual agreement must be approved by the Data Protection Commissioner before information can be transferred. Model contracts are available from the EU Commission website:
- Model Contract for an EU Controller to non-EU or EEA Controller here or here.
- Model Contract for an EU Controller to non-EU or EEA Processor.
5. How do you know if your organisation complies with the new GDPR Regulation?
A 12 step guide has been published by the Data Protection Commissioner which details the necessary steps to ensure compliance to the new GDPR Regulation.
6. The following is a summary of the 12 steps of the GDPR regulation
- Be aware of the changes that the GDPR legislation may have on your companys processes and procedures, and risk assess the impact. Ensure that sufficient resources are available to implement changes identified for GDPR compliance.
- As per the GDPR 12 step guide, a review must be conducted of all personal data held within your organisation clearly documenting;
- Why do you have the data?
- How did you obtain it?
- Why was it originally gathered?
- How long will you retain it?
- How secure is it, both in terms of encryption and accessibility?
- Do you ever share it with third parties and on what basis might you do so?
- Identify any gaps between your organisations current data protection practices and the GDPR legislation. Ensure that you inform individuals that you have their data on file, and before you gather data, you must inform customers of your identity and the reasons for gathering the data.
- Review your procedures and update where necessary. Identify electronic and manual systems used to collect and process data. If you receive a request to remove or correct an individuals information, you should be able to indicate the length of time and systems required in order to fulfil that request.
- Under the new GDPR guideline, the timeline to process a consumers requests to access, delete or alter personal data has been reduced to one month maximum, from the current 40 days. Requests can be refused under certain exemptions, as stated in Section 5 of the GDPR and You document.
- Establish the legal reasons for obtaining an individuals data. Ensure that you are only obtaining the information that is required. By obtaining unnecessary information, this may be decreasing your organisations productivity and using additional resources. Identify what categories of information obtained can be removed. As an organisation, you will have to explain to your consumers, the legal reasons for obtaining and processing their data if you receive a request from an individual to access, alter or delete their data.
- Review your customer consent process. Identify the method for obtaining and recording information. If an organisation is using a consent form method, then this process must be reviewed and revised if necessary, to ensure that it clearly identifies the data being obtained. It must be unambiguous, and be written in a manner where consumers are fully aware of what they are consenting to. Tick boxes will no longer be a sufficient method in obtaining consent. Additional consent will also be required for each additional processing operation. Article 6 point 1 of the new GDPR Regulation identifies six criteria to be considered when obtaining and processing an individuals data.
- If your organisation is processing the data of an underage subject, then you must ensure consent is provided by a guardian before the data is obtained and processed, and you must ensure that there are adequate systems in place that protects the data of the underage subject from social media or other internet outlets. The underage subject must verify consent, therefore the consent process must be understandable.
- Evaluate if your organisation is currently involved in high risk data processing, is using new technology to profile individuals or is involved in a project that may impact an individuals privacy. If so, then it is mandatory for your organisation to conduct a Data Protection Impact Assessment (DPIA) before data is processed . Organisations are advised to use the Privacy by Design method , to identify if the risk can be reduced. If the risk cannot be reduced, then the Data Protection Commissioner must be consulted before processing the data.
- Identify if your current system has a procedure for taking action in the event that a data breach occurs. If required update the procedure to align with the new GDPR regulation. If a breach does occur, you must notify the data protection authority within 72 hours. An assessment must be made of the severity of the data breach, and if found to be of high risk, the data subjects must be notified immediately.
- Organisations who regularly monitor or process large quantities of personal data, must ensure that a Data Protection Officer (DPO) is appointed either internally or externally. They must be an expert in data protection law and must be able to work independently and report directly to senior management. Using the Privacy by Design method, Data Protection Officers must ensure that risk assessments are conducted on processes that may impact a consumers data rights. Refer to the data protection guidance for appropriate qualifications for data protection officers and guidelines on the role of a data protection officer.
- In combination with the introduction of the new GDPR, is a mechanism called the One Stop Shop (OSS ). This OSS mechanism will mean that if your organisation has several establishments, your organisation will only have to deal with one Lead Supervisory Authority (LSA) for guidance and enforcement of your processing activities in the country of your main establishment. This should enable organisations to have a uniform method or system for collecting and processing data as they will no longer have to deal with different supervisory authorities in their individual locations. Your organisation must be part of the EU and must be involved in cross-border processing for the OSS to apply. Refer to the following document for guidelines on identifying your Lead Supervisory Authority.
7. What could happen if your organisation does not comply with the GDPR?
Not complying with the changes to the data protection legislation could mean that your company may face a fine of up to €20,000,000 or 4% of the annual turnover, whichever is the highest.
8. What do you need to do to apply for GDPR Certification?
The National Standards Authority of Ireland provides certification to ISO/IEC 27001. ISO 27001 is the standard for Information Security Management System, and this can be used as evidence of compliance to GDPR. Refer to the NSAI website for details on acquiring ISO/ IEC 27001 accreditation.
ISO/IEC 27003:2010 standard for Information Technology – Security Techniques, can also be used as a guidance document.
As detailed on the NSAI website, to obtain accreditation to ISO/IEC 27001, the following steps must be taken;
- Acquire a copy of the ISO/IEC 27001:2017 standard http://www.standards.ie/
- Conduct a self-assessment to determine how ready your organisation is Self-Assessment Form
- Follow the system implementation methodology
- Complete the request application form: Request for Quotation/Application Form
- Send the completed request form to NSAI for a quotation NSAI
- Once the quotation is received, formalise the application by signing the quotation and return the signed quotation to the NSAI firstname.lastname@example.org
- NSAI will make contact to agree phase 1 of the assessment dates
- A certification audit will be conducted on the agreed date
- Certification will be decided and issued by the NSAI.
https://www.dataprotection.ie/docs/Home/4.htm – website for Data Protection Commissioner Ireland / An Coimisinér Cosanta Sonraí
https://www.eugdpr.org/ – Education website for the General Data Protection Regulation