How should Indian healthcare organisations handle their new responsibilities under the GDPR? A starting point is knowing about the major categories of rights and obligations to be observed. In each case, the organisation concerned needs to assess whether the solution is better technology, changes to internal processes, or both.
Hospitals and other healthcare establishments must be able to show they are taking adequate precautions to protect everyone’s data properly. This includes data in storage (using disk encryption, for example) and in transit (for instance, secure network links). Technology will play a part in preventing unauthorised access and alerting IT teams to abnormal events or data flows. Information access policies that limit access to ‘need to know’ and proper staff information security awareness will also be crucial.
The majority (80% according to some estimates) of data breaches and leaks can be attributed to human error. Caregivers and other members of staff may not yet understand the importance of proper handling of confidential data. Regular awareness campaigns and training sessions are good practice anyway and should now be updated to include GDPR. Suppliers and partners must be vetted for staff awareness and GDPR compliance too.
According to the General Data Protection Regulation, consent of individuals for the use of their data must be ‘freely given, specific, informed and unambiguous’. This means that terms and conditions must be clear and simple. Consent must be opt-in (no consent by default). If data is to be used for any other purpose than medical care, this must also be made clear and opt-in permission sought.
Part of the GDPR concerns the right of European Union individuals to have their personal data removed from an organisation’s database. This may need to be balanced against other legal requirements, such as maintaining billing records for healthcare provided. Clearly, where there are no other legal requirements to retain data and an individual from the EU demands that his or her data is to be deleted, the organisation in question must comply. For other cases, professional legal advice is recommended. This also applies to other individuals’ GDPR data rights, such as the right to rectify information and to have it transferred from one entity to another (data portability).
If your organisation provides services to EU citizens and collects and/or processes their personal data, GDPR compliance will be mandatory. If you do not yet have that compliance, your first and immediate action will be to define a clear plan for becoming compliant rapidly. Your second step will then of course be to follow through rapidly on the execution and completion of your plan. Remember also that professional consulting and data security companies with GDPR knowledge and skills can help you to steer your course towards compliance in an effective, efficient, and timely way.