amcs and the general data protection regulation (gdpr · •this regulation applies to any...
Post on 05-Sep-2019
4 Views
Preview:
TRANSCRIPT
AMCsand
Does the new law apply
to my organization?
• David Holtzman – VP Compliance Strategies, CynergisTek
• Karen Pagliaro-Meyer – Chief Privacy Officer, Columbia University Medical Center
• Lynn Rohland – Partner, RGP
• Robert Webster – Privacy Counsel, LabCorp
Panelists:
June 12,2018 2GDPR Panel: NCHICA Conference June 11-12, 2018 – 14th AMC Security and Privacy Conference
• Review the requirements of the General Data Protection Regulation (GDPR)
• Discuss how the GDPR may apply to AMCs
• Actionable steps to achieve compliance and mitigate risks
Session Objectives:
June 12,2018 GDPR Panel: NCHICA Conference June 11-12, 2018 – 14th AMC Security and Privacy Conference 3
• We will use Poll Everywhere during our panel discussion.
• Participate by either sending a text message or by visiting
the URL from any web browser.
• Now would be a good time to take a moment to get you
set up; please pull out your electronic device.
• Don’t forget to silence it please to minimize disruption.
• Let’s take 1 minute to walk through it:
In-Session Surveys:
June 12,2018 4GDPR Panel: NCHICA Conference June 11-12, 2018 – 14th AMC Security and Privacy Conference
Let’s do one quick question right now to get the hang of it:
For text voting, start with a new text:5-digit number: ##### (To Be Provided)
For web voting, type into your browser: Pollev.com/lynnrohland
To: #####
Poll Everywhere Instructions:
June 12,2018 5GDPR Panel: NCHICA Conference June 11-12, 2018 – 14th AMC Security and Privacy Conference
• Is this the first time you have attended the AMC Conference?
– a) Yes
– b) No
– c) I can’t recall
Yes
Practice Question:
June 12,2018 6GDPR Panel: NCHICA Conference June 11-12, 2018 – 14th AMC Security and Privacy Conference
June 12,2018GDPR Panel: NCHICA Conference June 11-12, 2018 – 14th AMC Security and Privacy
Conference7
What are people saying about GDPR?
June 12,2018 8GDPR Panel: NCHICA Conference June 11-12, 2018 – 14th AMC Security and Privacy Conference
• Does GDPR impact your organization’s business goals or internal operations?
– a) Yes
– b) No
– c) Unsure
Survey Question #1:
June 12,2018 9GDPR Panel: NCHICA Conference June 11-12, 2018 – 14th AMC Security and Privacy Conference
June 12,2018GDPR Panel: NCHICA Conference June 11-12, 2018 – 14th AMC Security and Privacy
Conference10
• How far along is your organization in preparing for the GDPR?
– a) Completed or Near-Completion
– b) In-Progress or Beyond Planning Stage
– c) Not Started or in Planning Stage
– d) Not Applicable to my Organization
– e) Unsure
Survey Question #2:
June 12,2018 11GDPR Panel: NCHICA Conference June 11-12, 2018 – 14th AMC Security and Privacy Conference
June 12,2018GDPR Panel: NCHICA Conference June 11-12, 2018 – 14th AMC Security and Privacy
Conference12
• Are clients, vendors or other business partners inquiring about your organization’s the GDPR preparedness?
– a) Yes
– b) No
– c) Unsure
Survey Question #3:
June 12,2018 13GDPR Panel: NCHICA Conference June 11-12, 2018 – 14th AMC Security and Privacy Conference
June 12,2018GDPR Panel: NCHICA Conference June 11-12, 2018 – 14th AMC Security and Privacy
Conference14
• The GDPR is an omnibus data protection law, which will come into effect on May 25, 2018 and replace the EU Data Protection Directive (1995).
• The GDPR sets standards for the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data.
GDPR Overview:
June 12,2018 15GDPR Panel: NCHICA Conference June 11-12, 2018 – 14th AMC Security and Privacy Conference
• This regulation applies to any organization offering goods and services in the EU, regardless of geographic location, that controls or processes the data of an EU resident.
• Penalties for failing to comply with the basic processing principles of GDPR may subject the organization to fines up to €20 million or 4% of the organization’s total global revenue, whichever is greater
GDPR Overview (cont’d):
June 12,2018 16GDPR Panel: NCHICA Conference June 11-12, 2018 – 14th AMC Security and Privacy Conference
• Key definitions under the GDPR:
• Personal Data - any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier, including name, identification number, location data or online identifier
• Processing - obtaining, recording or holding information, or carrying out any operation or set of operations on information
GDPR Overview (cont’d):
June 12,2018 17GDPR Panel: NCHICA Conference June 11-12, 2018 – 14th AMC Security and Privacy Conference
• Key definitions under the GDPR:
• Controller - determines the purposes and means of processing personal data
• Processor - responsible for processing personal data on behalf of a controller
• Example: Company engages a vendor to help manage its payroll operations. The Company transmits the employee demographic data to the vendor so that the vendor can manage payroll for the employees.
GDPR Overview (cont’d):
June 12,2018 18GDPR Panel: NCHICA Conference June 11-12, 2018 – 14th AMC Security and Privacy Conference
GDPR Overview (cont’d):
June 12,2018 19GDPR Panel: NCHICA Conference June 11-12, 2018 – 14th AMC Security and Privacy Conference
US Company
EU Subsidiaries
EU Clients EU Citizens
Third Parties
GDPR Overview (cont’d):
June 12,2018 20GDPR Panel: NCHICA Conference June 11-12, 2018 – 14th AMC Security and Privacy Conference
• Does GDPR apply to non-EU organizations which onlyprocesses data about non-EU data subjects, but uses servers located in the EU to do so? Yes
• Does GDPR apply to non-EU organizations which onlyprocesses data about non-EU data subjects but which uses an EU processor to do so? Probably….understanding of GDPR is evolving
• Does GDPR apply to a non-EU organization which only uses non-EU equipment to process data about EU data subjects? No
FAQ on Scope of GDPR:
June 12,2018 21GDPR Panel: NCHICA Conference June 11-12, 2018 – 14th AMC Security and Privacy Conference
• Which health sectors does GDPR impact?
• And what are their greatest risks?
Q&A Session:
June 12,2018 22GDPR Panel: NCHICA Conference June 11-12, 2018 – 14th AMC Security and Privacy Conference
• Healthcare industry better positioned to comply with GDPR than most industries most notably due to the HIPAA Privacy Rule.
• GDPR builds upon similar HIPAA data protection principals, concepts and themes enforced since 4/14/2003.
• Impacts providers, insurers, third-party administrators, and researchers that collect and/or process data of EU residents.
Q&A: Which health sectors does GDPR impact?
June 12,2018 23GDPR Panel: NCHICA Conference June 11-12, 2018 – 14th AMC Security and Privacy Conference
• It also impacts ancillary markets such as telemedicine, virtual health solutions, clinical research on cures and pharmaceuticals.
• And of course, there are impacts for cloud services that process and store health data such as for genomic cloud computing.
• And here’s why…
Q&A: Which health sectors does GDPR impact (cont’d)?
June 12,2018 24GDPR Panel: NCHICA Conference June 11-12, 2018 – 14th AMC Security and Privacy Conference
• It further categorizes three (3) additional health data definitions:
1. Data Concerning Health, 2. Genetic Data, and 3. Biometric
• Companies must disclose precisely how they're using patient data.
• Patient permissions cannot be bundled together — patients must consent to each permission independently.
• Data Protection Impact Assessments (DPIAs) are required when health data of the three kinds mentioned above are processed on a large scale.
Q&A: Which health sectors does GDPR impact (cont’d)?
June 12,2018 25GDPR Panel: NCHICA Conference June 11-12, 2018 – 14th AMC Security and Privacy Conference
• GDPR has compelled a cultural shift.
• Data protection is no longer viewed simply as a ‘compliance’ activity but rather … a thorough examination of an organization’s data handling practices and its data flows.
• GDPR is privacy from the perspective of the EU data subject
• Those that fail to acknowledge and adopt this principle are at greatest risk.
Q&A: What risks does GDPR present to the health sectors?
June 12,2018 26GDPR Panel: NCHICA Conference June 11-12, 2018 – 14th AMC Security and Privacy Conference
What if you have incidental EU encounters?
Applicability Criteria Analysis
Is the processing of data ”in the context of the activities” of an establishment of a controller or processor in the EU?
• No
Are you offering goods and services to data subjects in the EU?
• Website localization? (Domain names, language, other?)
• Acceptance of EU currencies• Delivery to EU addresses?• Email registrants
• service vs marketing emails
Are you monitoring the behavior of data subjects in the EU?
• Use of targeting/retargeting platforms?
June 12,2018 27GDPR Panel: NCHICA Conference June 11-12, 2018 – 14th AMC Security and Privacy Conference
Scenario #1: You are a US-based online telehealth service.
• You are a US-based online telehealth service. What if you have incidental EU encounters?– Conclusion: Maybe subject to GDPR
– Many factual considerations to take into account. “Mere accessibility” not enough…Consider “nexus” to European data subjects
– Even if technically subject to GDPR, may be low risk to proceed as if GDPR does not apply until quantity of EU encounters grow or other risk triggers (i.e. complaints)
– Risk based decisions need to be weighed against likelihood of enforcement vs burdens of compliance overheads
• appointment of EU rep, compliance with GDPR fair processing requirements, vendor terms, data export rules
June 12,2018 28GDPR Panel: NCHICA Conference June 11-12, 2018 – 14th AMC Security and Privacy Conference
Scenario #1: Analysis
Applicability Criteria Analysis
Is the processing of data ”in the context of the activities” of an establishment of a controller or processor in the EU?
• Unclear. Is the processing “in the context of the activities” of the US based data controller in which case this limb does not apply? Or, the EU data processor in which case it does apply?
• Even if controller not directly subject, process will be w/indirect compliance considerations for the controller
Are you offering goods and services to data subjects in the EU?
• Website localization?• Domain names, language, other?
• Acceptance of EU currencies• Delivery to EU addresses?• Email registrants
• Service vs marketing emails
Are you monitoring the behavior of data subjects in the EU?
• Use of targeting/retargeting platforms?
June 12,2018 29GDPR Panel: NCHICA Conference June 11-12, 2018 – 14th AMC Security and Privacy Conference
Scenario #2: Data hosted in the EU?
• What if you host the data from US operations in the EU?
• Bottom line: Maybe subject to GDPR
• Unclear legal test of whose “activities” trigger GDPR requirements
• Even if technically subject to GDPR, may be low risk to proceed as if GDPR does not apply. Some Data Processors may try to “flow-up” some compliance responsibilities through the vendor terms required by GDPR
June 12,2018 30GDPR Panel: NCHICA Conference June 11-12, 2018 – 14th AMC Security and Privacy Conference
Scenario #2: Analysis
Applicability Criteria Analysis
Is the processing of data ”in the context of the activities” of an establishment of a controller or processor in the EU?
• No—No EU establishment
Are you offering goods and services to data subjects in the EU?
• No--You are not processing personal data of data subjects in the EU
• What about when they return to the EU? Is it “apparent” that you “envisage” processing their data?
• What if you also send promotional follow-ups?• Is it apparent that you intend to market to individuals
in the EU? Is it focused to EU “customers”?
Are you monitoring the behavior of data subjects in the EU?
• Are you conducting email opening analysis?• Monitoring access to PHR or EHR?
June 12,2018 31GDPR Panel: NCHICA Conference June 11-12, 2018 – 14th AMC Security and Privacy Conference
Scenario #3: EU patient(s) in US healthcare facility?
• EU patients treated in US facility
• Bottom line: Unlikely data be subject to GDPR
• No establishment of business located in EU
• No processing of personal data of data subjects in the EU—your patients are not in the EU
• What about when the patient returns to the EU?
• What if you continue to contact or monitor the patient after they return to the EU?
June 12,2018 32GDPR Panel: NCHICA Conference June 11-12, 2018 – 14th AMC Security and Privacy Conference
Scenario #3: Analysis
• If an AMC is impacted by the GDPR, what are some approaches to compliance?
June 12,2018 33GDPR Panel: NCHICA Conference June 11-12, 2018 – 14th AMC Security and Privacy Conference
Q&A Session:
June 12,2018 34GDPR Panel: NCHICA Conference June 11-12, 2018 – 14th AMC Security and Privacy Conference
• What are some common misunderstandings or oversights about the GDPR in your organization?
June 12,2018 35GDPR Panel: NCHICA Conference June 11-12, 2018 – 14th AMC Security and Privacy Conference
Q&A Session:
• The GDPR is already in effect. How can I expedite my organizations compliance efforts and what are the “Do’s and Don’ts” to look out for?
June 12,2018 36GDPR Panel: NCHICA Conference June 11-12, 2018 – 14th AMC Security and Privacy Conference
Q&A Session:
• Open to the audience.
June 12,2018 37GDPR Panel: NCHICA Conference June 11-12, 2018 – 14th AMC Security and Privacy Conference
Q&A Session:
• Most EU member states have not established their laws enacting GDPR standards or enforcement programs
• Activists are pursuing test cases in against companies that collect or process large amounts of personal data– Google
• Electronic data standards under development
June 12,2018 38GDPR Panel: NCHICA Conference June 11-12, 2018 – 14th AMC Security and Privacy Conference
Emerging Themes:
June 12,2018GDPR Panel: NCHICA Conference June 11-12, 2018 – 14th AMC Security and Privacy
Conference39
• Do I have the information necessary to assist my organization’s GDPR compliance efforts?
– a) Yes
– b) No
– c) Getting There
– d) Unsure
June 12,2018 40GDPR Panel: NCHICA Conference June 11-12, 2018 – 14th AMC Security and Privacy Conference
Survey Question #4:
June 12,2018GDPR Panel: NCHICA Conference June 11-12, 2018 – 14th AMC Security and Privacy
Conference41
• Do I now think that my organization may need to look further into the compliance requirements of the GDPR?
– a) Yes
– b) No
– c) Still Unsure
June 12,2018 42GDPR Panel: NCHICA Conference June 11-12, 2018 – 14th AMC Security and Privacy Conference
Survey Question #5:
• Additional information on the GDPR:
June 12,2018 43GDPR Panel: NCHICA Conference June 11-12, 2018 – 14th AMC Security and Privacy Conference
Thank You for Participating
Resource Description Web Link to Source
Full Text of the GDPR http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf
Information Commissioner’s Office (ICO) Guide to the GDPR
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr
EU GDPR Information https://www.eugdpr.org/
European Commission Article 29 Working Group Newsroom on the GDPR (Guidance Papers)
http://ec.europa.eu/newsroom/article29/news-overview.cfm
A Primer on the GDPR: What You Need to Know http://privacylaw.proskauer.com/2015/12/articles/european-union/a-primer-on-the-gdpr-what-you-need-to-know/
5-Minute Video on the GDPR https://www.youtube.com/watch?v=cBRUYUheTTs
What Does the GDPR Mean for Global Data Protection? (Infographic)
https://digitalguardian.com/blog/what-does-gdpr-mean-global-data-protection-infographic
top related