New European data privacy and security legislation –General Data Protection Regulation (GDPR) – has been passed, and while this law is applicable in Europe, there are also GDPR requirements for US companies, including for organizations in the healthcare industry.
The new legislation, which has a go live date of May 25, 2018, requires a range of protections to be implemented to keep data of EU consumers secure and to safeguard their privacy. Healthcare groups are in a good position to comply with GDPR regulations since they are already obligated to comply with the HIPAA Privacy, Security and Breach Notification Rules. However, being HIPAA compliant is no guarantee that healthcare groups will not fall afoul of GDPR. GDPR requirements for US companies cover elements of privacy and security not required for HIPAA compliance.
Why Do US Companies have to Conform with GDPR?
GDPR is concerned with safeguarding the privacy of EU citizens and securing their data, so why are there GDPR requirements for US firms? The reason for GDPR is to give data subjects greater control over the data that is collected, stored, and used by others. It is irrelevant where in the world an entity is based, if that entity does business with EU citizens that include collecting or processing personal data they must adhere with GDPR. Simply complying with existing data privacy and security regulations in the country in which the entity is based is not enough.
US Companies and GDPR Requirements
GDPR, of course, applies to multi-national companies that have an office in the EU or do business in the EU, although simply shutting an EU base is not enough to avoid compliance with GDPR. GDPR is about data not where an organization has an office.
GDPR also applies to groups of all sizes. It doesn’t matter if you are a small one-person practice or a large organization with thousands of workers. If you gather or process data on EU citizens, GDPR compliance is not an optional requirement.
GDPR takes the place of the EU Data Protection Act of 1998, which placed responsibility only on the data controller, not processors of data. If you processed data for another firm (the controller) it would be that company that had to adhere with past regulations. GDPR is relevant for both processors and controllers – Both parties are now responsible for safeguarding the privacy rights of EU citizens.
GDPR refers to personal data as “Any information relating to an identified or identifiable natural person.” That includes names, addresses, telephone numbers, email addresses, credit card details, financial information, medical information, posts on social media platforms, and an person’s IP address.
The rights given to EU citizens and the major GDPR requirements for US companies include:
- Ensuring data is only gathered when there is a legal and lawful reason for doing this.
- Receiving permission before personal data is collected, stored, or processed.
- Obtaining consent from parents or legal guardians before children’s data is gathered or processed.
- Adapting controls to ensure the confidentiality of data is secured.
- Upskilling employees on the appropriate handling of personal data.
- Ensuring EU citizens’ right to be forgotten can be respected and that it is possible to permanently erase all gathered data.
- Ensuring EU citizens are aware about how their information will be gathered and used, similar to the Notice of Privacy Practices required by HIPAA.
- Ensuring data transfers across borders occurs in line with GDPR regulations.
- Putting data breach alert policies in place to ensure EU citizens receive notifications of a violation of their personal data.
- It may also be necessary for groups to hire a Data Protection Officer. That individual must have a good understanding of GDPR requirements for US companies as well as the infrastructure and organization of their firm/group.
What Steps Must US Companies Take to Ensure Compliance with GDPR?
- The GDPR requirements necessary for US companies depend on whether you are a data controller or data processor. Decide whether you are a controller, processor, or both.
- Ensure you are knowledgeable of all data you gather or use, that you know where the data originated from, every entity it has been shared with, and every location where it is stored.
- You must carry out a full audit, which can be a labor heavy and time-consuming process.
- Determine whether you need to hire a Data Protection Officer and appoint a contact that will liaise with the GDPR supervisory body.
- Formulate consent and disclosure forms covering all potential uses of data.
- Ensure you can find, react and report on data breaches and have policies in place to alert EU citizens of those breaches.
- Review your Notice of Privacy Practices and make sure it meets GDPR obligations.
- Make sure your business associates and their subcontractors are aware of their obligations under GDPR.
- Check your policies on data retention and make sure they adhere with GDPR requirements. There is a maximum time limit for the storage of data on EU citizens and data can only be maintained until the purpose for which the information has been gathered has been achieved.
- If you transfer data across borders, you must check that GDPR requirements are met.
Penalties for Noncompliance with GDPR
Fail to comply with GDPR requirements for US companies and you could be fined by the EU. The penalties for noncompliance with GDPR can be harsh. A violation of GDPR can result in a fine of up to 20,000,000 Euros ($23,138,200) or 4% of the company’s annual global revenue, whichever figure is higher. That is far higher than the penalties for HIPAA violations. However, that fine could be higher.
Becoming GDPR Compliant May Not be as Simple as You Think
Since achieving compliance with GDPR may not be easy, meeting the May 25 deadline could be tricky, especially for any group that has yet to develop their compliance strategy. Forward thinking companies began their compliance programs soon after the EU directive was published, although many firms have yet to start.
According to figures from PwC, 68% of groups have spent between $1 million and $10 million to meet GDPR requirements for US companies. 9% of US firms say they have invested more than $10 million on GDPR compliance.
If you are unsure how GDPR will affect your business, whether your compliance program is enough, or if you don’t know where to begin with GDPR compliance, it is strongly recommended to seek guidance from compliance experts who can guide you through the process and ensure, come the deadline, your policies, procedures, systems, and data privacy and security strategies are up to the standard necessary under the new EU Directive.