This is the second post in a three-part series designed to provide a summary of some of the GDPR features that are likely to have the most substantial impact on healthcare/life science related businesses. (Links for Part One and Part Three)
New General Features of the GDPR
Some of the GDPR general features may be of particular interest for companies in the healthcare/life science sectors.
One Stop Shop
Until now, groups of companies established in Europe had to deal with as many Data Protection Authorities as countries where they were operating. The GDPR set up the so-called one-stop shop mechanism, which is aimed at simplifying the life of businesses. Indeed, a company established in more than one Member State will have to indicate its main establishment to the Supervisory Authority (formerly called Data Protection Authority) where its main establishment is located and will be in touch with such sole Supervisory Authority, called the “Lead Supervisory Authority”, for all its data protection issues in Europe (Article 56).
For the data controller (i.e., the entity that makes the decisions), the main establishment should be the place where the decisions on the purposes and means of the processing of personal data are taken. For the data processor (i.e., the entity that processes the data on behalf of someone else), the main establishment should be the place of its central administration in the EU. This is clearly a more business-friendly provision.
On the other hand, European citizens will be allowed to lodge a complaint not only with the Lead Supervisory Authority designated by the data controller but with the Supervisory Authority in any Member State. The idea behind that is to provide individuals with effective means of redress.
In practice for example, a US healthcare/life science company that has its European headquarters in France will have to deal with the French Supervisory Authority for general data protection matters, but individuals could sue it in the courts of their own Member State.
Appointment of Data Protection Officers (“DPOs”)
It is now mandatory for companies to appoint a DPO where its core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or processing on a large scale of sensitive data (Section 4).
The GDPR does not define what constitutes a processing on a large scale, but the Article 29 Working Party (the “WP29”) issued useful guidelines on DPOs. According to the WP29, it is not possible to give a precise number, though it recommends that the following factors be considered:
- The number of data subjects concerned – either as a specific number or as a proportion of the relevant population
- The volume of data and/or the range of different data items being processed
- The duration, or permanence, of the data processing activity
- The geographical extent of the processing activity
For example, according to the WP29, the processing of patient data in the regular course of business by a hospital is “large scale” but the processing of patient data by an individual physician is not.
Concerning the responsibilities of DPOs, at a minimum they include: informing the company and its employees on their obligations with respect to data protection law, monitoring the company’s compliance, monitoring privacy impact assessments, cooperating with supervisory authorities and handling data subjects’ inquiries.
A DPO may be appointed within the company and carry out other tasks as well (as long as there are no conflicts of interest), but the GDPR requires that DPOs must perform their duties and tasks in an independent manner and with a sufficient degree of autonomy. It means that DPOs must not be instructed how to deal with a matter or whether to consult the Supervisory Authority.
Data Breach Notification
The GDPR introduces a new obligation for companies to notify data breaches to the appropriate Supervisory Authority within 72 hours. And the notification must be documented. Companies will also have to notify the data breaches in question to the affected individuals without undue delay “when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons” (Article 34).
This “high risk” is not defined in the GDPR. In our opinion, it will have to be assessed on a case by case basis and the sensitivity of the personal data should be taken into account.
Data Protection Impact Assessment (DPIA)
A DPIA is a process designed to describe the processing of personal data, assess the necessity and proportionality of a processing and to help manage the risks to the rights and freedoms of individuals resulting from the processing.
These assessments are mandatory where a type of processing is likely to result in a high risk to the rights and freedoms of individuals. In particular, it must be carried out where personal data processing involves a “the processing on a large scale of [sensitive data] i.e. including health data (Article 35).
This new obligation is worth mentioning because it will most likely become a frequent task for those healthcare/life science companies which process a large amount of health data. It may become a heavy process that they should prepare for.