EU General Data Protection Regulation (GDPR)

May 23, 2018Dixie B. Baker, Ph.D.

Agenda

• GDPR Basics• Key Changes from Data Protection Directive• “Special Categories”• Consent Conditions and Elements• HIPAA and GDPR: Key Differences• Determining Whether Your Organization

Needs to Comply

2

General Data Protection Regulation (GDPR)1 Basics

• Replaces Data Protection Directive 95/46/EC and aims to harmonize data privacy laws across Europe

• Enforcement begins in two days – May 25, 2018• Consumer-centric regulation – focuses on “controllers”

(person or entity that determines the purposes and means of processing personal data) and “processors” (person or entity that processes* personal data on behalf of the controller)

• Protects the rights of EU citizens regardless of their location, and the “free movement” of data within the EU

3

* Includes automated, semi-automated, and manual** Actually “natural persons” or “data subjects”

Key Changes from Data Protection Directive2 (1 of 2)

• Expanded territorial scope - applies to all entities collecting or processing the personal data of EU citizens, regardless of the entity’s location

• Increased penalties for non-compliance with key provisions, up to 4% global annual turnover

• Stronger conditions for consent - clear and plain language, specification of purpose; as easy to withdraw consent as it is to give it

• Breach notification within 72 hours• Right for data subjects to obtain from controller

whether personal data are being processed, where and for what purpose, and to obtain copy

4

Key Changes from Data Protection Directive (2 of 2)

• Right to be forgotten – a.k.a. Data Erasure, the right for the data subject to have her personal data removed from a system and to have third parties halt processing of the data

• Data portability – analogous to HIPAA’s “view, download, and transmit (VDT)”

• ”Privacy by design” – built into system from the outset• Data Protection Officers – change from external

reporting to internal record keeping• New requirements that seem to target cloud

computing and big-data analytics

5

“Special Categories” of Information

• “Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited” [Article 9] unless…

6

Relevant “Special Category” Exceptions

• (a) Data subject has given explicit consent [to process special category of information] for defined purposes

• (j) Processing is necessary for … scientific or historical research purposes … shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

7

Processing of “Special Categories”

• Processing ”special categories” (e.g., health, genetic information) requires:

1. Processing must be lawful (Article 6)

+2. At least one of the exceptions specified in Article

9 must apply

8

Lawfulness of ProcessingProcessing is “lawful” if at least one of the following applies:1. Data subject has given consent to processing

for one or more specific purposes; OR2. Processing is necessary for one of 5 reasons

relating to contractual or legal compliance, vital interests of the subject, public-interest, or controller-interests

9

“Explicit” Consent

• When processing “special categories” of information

• When personal information is used in automated individual decision-making, such as profiling

• Data transfers to third countries or international organizations

10

The GDPR Consent Guidelines seem to be saying that “broad” consent is sufficient under Article 6 (lawfulness) but that “explicit” consent is required for these special cases

Explicit consent is required in certain situations where serious data protection risks emerge, hence, where a high level of individual control over personal data is deemed appropriate (GDPR consent guidelines WP29, December 2017

Consent Conditions

• Clear explanation of processing consenting to• Genuinely, voluntarily “opt-in”• Consent withdrawal must be as easy as giving

consent• Organization does not rely on silence or

inactivity as “consent” (e.g., pre-ticked boxes do not constitute valid consent)

11

Genuine, Voluntary Opt-In Example3

12

Elements in Consent To Collect (1 of 2)

1. Identity and contact information for controller2. Contact for Data Protection Officer3. Purposes for processing4. Categories of data 5. When applicable, legitimate interest of controller

for which data are needed6. Recipients7. Where applicable, controller’s plan to transfer data

to a third country or international organization

13

Implications for use of cloud computing

Elements in Consent To Collect (2 of 2)

8. Period of time data will be stored

9. Right to request correction or erasure

10. Right to withdraw consent

11. Right to lodge a complaint

12. Source of personal data

13. Existence of automated decision-making, including

profiling, logic involved, and potential

consequences for subject

14

Targeting “big data” analytics

HIPAA and GDPR: Key Differences

15

Topic HIPAA GDPRRelevant data Identifiable health information Personally identifiable data

Who must comply

Covered entities and business associates

Entities that collect or process personal data of EU citizens

Consent Requires patient authorization for access, use and exchange other than treatment, payment, healthcare operations; with public health/safety/legal exceptions

Requires consent for collection and processing, with contractual/legal/public-interest exceptions

Research Permits disclosure for activities preparatory to research

Use of personal data for research requires consent; no exception for “preparatory to research”

Breach Notification

Within 60 days Within 72 hours

HIPAA and GDPR: Key Differences

16

Topic HIPAA GDPRDe-identification

Specifies methods for de-identifying protected health information

Excludes “anonymized” data, but does not specify anonymization method

“Special categories” requiring explicit consent

Only “special category” is psychotherapy notes –requires authorization for use or disclosure, with some TPO exceptions

“Special categories” include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life, or sexual orientation – processing is prohibited without individual’s explicit consent or applicable exception

Collection authorization

Covered in Notice of Privacy Practices

Specific consent required to collect personal data

Broad vs. “explicit” consent

Simple “authorization” Consent required for “lawful processing” refers to all personal data; “explicit” consent required for “special categories”

HIPAA and GDPR: Key Differences

17

Topic HIPAA GDPRConsent Specifies core

elements of patient

authorization

Specifies elements of consent for collection,

but not processing. Consent must be in

plain, understandable language.

“Right to be

forgotten”

No requirement Erasure upon request – includes production

systems, archived files

Control over

processing

No requirement Right to object to processing

Propagation of

changes

No requirement When data are corrected, erased, or

processing restricted, controller must notify

other controllers with whom data have been

shared

Profiling No requirement Right not to be subject to a decision based

solely on automated processing, including

profiling, which produces legal or other

significant effects. Exceptions are N/A if

“special categories” of information are used.

Do You Need to Comply with GDPR?3

1. Do you have people from the EU on your email or mailing list, or in your contacts database?

2. Do you have forms that enable users to enter a non-US address or specify that they’re from another country?

3. Do you have purchase or donation forms that allow people to pay using European currency?

18

Yes No

Yes No

Yes No

If You Answered “Yes”

• Conduct a high-level review of the EU data you hold

• Assess whether the value of your EU data justifies the cost of modifying systems and operations to attain GDPR compliance – If so, hire an attorney and implementer with GDPR

expertise to help you plan for compliance– If not, delete all of the EU data you hold in your

systems and back-ups; and modify your forms to clarify that you are not soliciting EU customers, participants, or contributors

19

Questions?

20

References

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council. Apr 27, 2016. Available from https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN (accessed 4/20/18)

[2] EUGDPR.org. GDPR Key Changes. Available from https://www.eugdpr.org/key-changes.html (accessed 4/24/18)

[3] Medium. GDPR for US Not-for-Profits: What you need to know. Available from https://medium.com/@forward_action/gdpr-for-us-not-for-profits-what-you-need-to-know-4cfee1a1b8e3 (accessed 5/23/18)

21