EU General Data Protection Regulation (GDPR)

Transcription

1 EU General Data Protection Regulation (GDPR) May 23, 2018 Dixie B. Baker, Ph.D.

2 Agenda GDPR Basics Key Changes from Data Protection Directive Special Categories Consent Conditions and Elements HIPAA and GDPR: Key Differences Determining Whether Your Organization Needs to Comply 2

3 General Data Protection Regulation (GDPR) 1 Basics Replaces Data Protection Directive 95/46/EC and aims to harmonize data privacy laws across Europe Enforcement begins in two days May 25, 2018 Consumer-centric regulation focuses on controllers (person or entity that determines the purposes and means of processing personal data) and processors (person or entity that processes* personal data on behalf of the controller) Protects the rights of EU citizens regardless of their location, and the free movement of data within the EU * Includes automated, semi-automated, and manual ** Actually natural persons or data subjects 3

4 Key Changes from Data Protection Directive 2 (1 of 2) Expanded territorial scope - applies to all entities collecting or processing the personal data of EU citizens, regardless of the entity s location Increased penalties for non-compliance with key provisions, up to 4% global annual turnover Stronger conditions for consent - clear and plain language, specification of purpose; as easy to withdraw consent as it is to give it Breach notification within 72 hours Right for data subjects to obtain from controller whether personal data are being processed, where and for what purpose, and to obtain copy 4

5 Key Changes from Data Protection Directive (2 of 2) Right to be forgotten a.k.a. Data Erasure, the right for the data subject to have her personal data removed from a system and to have third parties halt processing of the data Data portability analogous to HIPAA s view, download, and transmit (VDT) Privacy by design built into system from the outset Data Protection Officers change from external reporting to internal record keeping New requirements that seem to target cloud computing and big-data analytics 5

6 Special Categories of Information Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person s sex life or sexual orientation shall be prohibited [Article 9] unless 6

7 Relevant Special Category Exceptions (a) Data subject has given explicit consent [to process special category of information] for defined purposes (j) Processing is necessary for scientific or historical research purposes shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. 7

8 Processing of Special Categories Processing special categories (e.g., health, genetic information) requires: 1. Processing must be lawful (Article 6) + 2. At least one of the exceptions specified in Article 9 must apply 8

9 Lawfulness of Processing Processing is lawful if at least one of the following applies: 1. Data subject has given consent to processing for one or more specific purposes; OR 2. Processing is necessary for one of 5 reasons relating to contractual or legal compliance, vital interests of the subject, public-interest, or controller-interests 9

10 Explicit Consent Explicit consent is required in certain situations where serious data protection risks emerge, hence, where a high level of individual control over personal data is deemed appropriate (GDPR consent guidelines WP29, December 2017 When processing special categories of information When personal information is used in automated individual decision-making, such as profiling Data transfers to third countries or international organizations The GDPR Consent Guidelines seem to be saying that broad consent is sufficient under Article 6 (lawfulness) but that explicit consent is required for these special cases 10

11 Consent Conditions Clear explanation of processing consenting to Genuinely, voluntarily opt-in Consent withdrawal must be as easy as giving consent Organization does not rely on silence or inactivity as consent (e.g., pre-ticked boxes do not constitute valid consent) 11

12 Genuine, Voluntary Opt-In Example 3 12

13 Elements in Consent To Collect (1 of 2) 1. Identity and contact information for controller 2. Contact for Data Protection Officer 3. Purposes for processing 4. Categories of data 5. When applicable, legitimate interest of controller for which data are needed 6. Recipients 7. Where applicable, controller s plan to transfer data to a third country or international organization Implications for use of cloud computing 13

14 Elements in Consent To Collect (2 of 2) 8. Period of time data will be stored 9. Right to request correction or erasure 10. Right to withdraw consent 11. Right to lodge a complaint 12. Source of personal data 13. Existence of automated decision-making, including profiling, logic involved, and potential consequences for subject Targeting big data analytics 14

15 HIPAA and GDPR: Key Differences Topic HIPAA GDPR Relevant data Identifiable health information Personally identifiable data Who must comply Consent Research Breach Notification Covered entities and business associates Requires patient authorization for access, use and exchange other than treatment, payment, healthcare operations; with public health/safety/legal exceptions Permits disclosure for activities preparatory to research Within 60 days Entities that collect or process personal data of EU citizens Requires consent for collection and processing, with contractual/legal/public-interest exceptions Use of personal data for research requires consent; no exception for preparatory to research Within 72 hours 15

16 HIPAA and GDPR: Key Differences Topic HIPAA GDPR Deidentification Special categories requiring explicit consent Collection authorization Broad vs. explicit consent Specifies methods for de-identifying protected health information Only special category is psychotherapy notes requires authorization for use or disclosure, with some TPO exceptions Covered in Notice of Privacy Practices Simple authorization Excludes anonymized data, but does not specify anonymization method Special categories include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life, or sexual orientation processing is prohibited without individual s explicit consent or applicable exception Specific consent required to collect personal data Consent required for lawful processing refers to all personal data; explicit consent required for special categories 16

17 HIPAA and GDPR: Key Differences Consent Topic HIPAA GDPR Right to be forgotten Control over processing Propagation of changes Specifies core elements of patient authorization No requirement No requirement No requirement Specifies elements of consent for collection, but not processing. Consent must be in plain, understandable language. Erasure upon request includes production systems, archived files Right to object to processing When data are corrected, erased, or processing restricted, controller must notify other controllers with whom data have been shared Profiling No requirement Right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or other significant effects. Exceptions are N/A if special categories of information are used. 17

18 Do You Need to Comply with GDPR? 3 1. Do you have people from the EU on your or mailing list, or in your contacts database? 2. Do you have forms that enable users to enter a non-us address or specify that they re from another country? 3. Do you have purchase or donation forms that allow people to pay using European currency? Yes Yes Yes No No No 18

19 If You Answered Yes Conduct a high-level review of the EU data you hold Assess whether the value of your EU data justifies the cost of modifying systems and operations to attain GDPR compliance If so, hire an attorney and implementer with GDPR expertise to help you plan for compliance If not, delete all of the EU data you hold in your systems and back-ups; and modify your forms to clarify that you are not soliciting EU customers, participants, or contributors 19

20 Questions? 20

21 References [1] Regulation (EU) 2016/679 of the European Parliament and of the Council. Apr 27, Available from (accessed 4/20/18) [2] EUGDPR.org. GDPR Key Changes. Available from (accessed 4/24/18) [3] Medium. GDPR for US Not-for-Profits: What you need to know. Available from (accessed 5/23/18) 21