1. Can you outline your top 3 areas of healthcare that will be impacted by GDPR?
“Almost everyone will see some impact from GDPR.Rather than focussing on types of healthcare, I have chosen three types of data to emphasise how wide-ranging it will be and that it is something which every organisation will need to consider.First is obviously patient data.This can be sensitive information about health, and it is important that it is handled appropriately.Second is employee data – even businesses who aren’t consumer facing are likely to handle sensitive information about their employees, such as sickness records.Employees also expect their financial information to be held securely.Finally, there is data about other contacts – including business contacts, such as suppliers.A lot of people ignore this when thinking about personal data and, although there tends to be a more flexible approach to how this is used due to the lower expectation of privacy, there are still data protection implications to consider.”
2. Does GDPR have the potential to really transform customer relationships and start to do things properly in terms of personalisation and being proactive with customers?
“A lot of people talk about consent and choice when they talk about GDPR. It’s important to remember that consent is only one of the reasons you can use to legitimise processing data, but it’s definitely important.Where you are able to, give choices and act on them. It can empower the customer and make them feel like they have a say in how their data is used.Giving customers control can help to shape relationships in a positive way.
Some of the new data subject rights also help customers feel in control – for example, they have stronger rights to stop how their data is to be used if they change their mind about consent. Of course, choice isn’t always appropriate and, in some situations, you can use data without consent, in the same way as under the current law.But you can still build the customer relationship by being clear about what you use data for and why you do it. The GDPR has much stronger transparency obligations.Demonstrating that you have thought about how you use data and have put appropriate protection in place can definitely help, even where the customer has no choice.”
3. Will a set of Europe-wide data rights change patient attitudes towards sharing their personal data?
“Patients can be reluctant to share their data if they are unclear how it will be used and who will have access to it.A lack of transparency can make people suspicious and too many organisations have historically hidden things away in small print, leading to distrust.There have also been concerns around security.Being transparent by providing clear, understandable and relevant information can help to build a more open, trusting relationship.It is also useful to demonstrate that you have robust security and governance in place as these have historically been concerns about data sharing arrangements.”
4. Will the internal changes healthcare organisations need to make to comply with GDPR lead to them becoming better at the collection and analysis of their data?
“Preparing for GDPR involves having a good look at what data you collect and why you use it. This is likely to identify things you can do better – for example if you give appropriate information and obtain necessary consents when the data is collected this can enable you to use the data more widely at a later stage. It can also help identify data which you don’t actually use and no longer need to store, or where you hold multiple overlapping datasets which would be more powerful if they were combined into a single database. It is increasingly important to look at data as an asset – an asset which you need to use in accordance with the law, but which can bring value to your organisation if you do so correctly.”
5. How will GDPR fit into the wider global delivery of healthcare services? A barrier or an advantage?
“There is a lot of scaremongering about GDPR but at its heart, GDPR is about using data responsibly with good information management and governance structures, and giving individuals choices where appropriate. Doing this can definitely bring benefits to an organisation, and my view is that GDPR shouldn’t be seen just as compliance red tape and an additional burden, but as a framework for using data responsibly.”
6. Can technology help healthcare organisations meet their responsibilities under GDPR?
“Technology is definitely part of the solution and there are an increasing number of products on the market which will help with GDPR compliance, but it’s important to remember that GDPR is not just a technology issue. There is a lot of work to do around governance, checking there is a legal basis for processing, and putting appropriate contracts in place with third parties who have access to data and training. None of this can be done by technology alone. Getting GDPR compliance right involves a cultural change throughout an organisation to give data about individuals the respect it deserves. Relying too much on technology can detract from the human element which you also need to get right.”
Helen Goldthorpe is an associate solicitor at leading law firm Shulmans LLP. She has particular expertise in data protection, commercial contracts, intellectual property and technology.