Presentation at the COCIR annual meeting on 17 March 2016 regarding the top 7 operational impacts of the new EU General Data Protection Regulation for health IT companies.

1. DATA PROTECTION
UPDATE
Erik VollebregtCOCIR Annual Meeting
17 March 2016

2. Some top operational impacts of
the GDPR for a health IT company
1. Consent
2. Security and breach notification
3. Profiling
4. RTBF and data portability
5. Vendor management
6. Personal data concerning health?
7. International transfers
2

3. 1. Consent
• Consent requirements enhanced, definition of consent restricted
• “freely given, specific, informed and unambiguous”
• clear affirmative action
• as easy to withdraw as to give it – data must be erased then and can
no longer be used for processing
• Not freely given in case of imbalance
• Not making consent conditional upon service provision, unless
processing is necessary for the service
• Consent for subsequent processing unless subsequent operations
are “compatible”
3

4. 2. Security & breach notification
• More prescriptive regarding “appropriate technical and organizational
measures” because specifies what kinds of security actions might be
considered “appropriate to the risk,” including:
• pseudonymisation and encryption of personal data
• ability to ensure the ongoing confidentiality, integrity, availability and
resilience of systems and services processing personal data
• ability to restore the availability and access to data in a timely
manner in the event of a physical or technical incident
• process for regularly testing, assessing and evaluating the
effectiveness of technical and organizational measures for ensuring
the security of the processing
• GDPR contains a definition of “personal data breach,” and notification
requirements to both the supervisory authority (<72 hours unless
justifiable) and affected data subjects 4

5. 3. Profiling
• Heatlh IT business models are all about profiling
• Profiling: “any form of automated processing of personal data
consisting of using those data to evaluate certain personal aspects
relating to a natural person, in particular to analyse or predict aspects
concerning that natural person's […], health […]”
• Data subject
• has “right to be informed” of consequences and right of access
• may contest decisions “that significantly affect him or her” made
based on profiling with contract or consent as basis
• may “object”, ending legal basis for processing, unless overriding
interests
• Duty to avoid data inaccuracies and errors, implement security and
minimize discriminatory effects
• Impact assessment mandatory
5

6. 4. Right To Be Forgotten and Data
Portability
• “Right to erasure”
• Exception: among others scientific research and public interest
related processing
• Data portability: data subject has right to receive personal data in a
structured and commonly used and machine-readable format and has
right to transmit / request transmission of those data to another controller
without hindrance from the controller to which the data have been
provided, if:
• processing is based on consent or contract; and
• processing is carried out by automated means
6

7. 5. Vendor management
• GDPR expands significantly on controller responsibility
• e.g. impact assessment, breach notification, record keeping
• GDPR has specific duties for processors too, e.g. assist with security
and impact assessment
• GDPR sets out rules for allocating responsibility between controller and
processor
• controller must select processor that provides sufficient
guarantees that it can implement technical and organisational
measures required
• More detailed requirements for controller-processor contracts
• re-assess current agreements! 7

8. 6. Data concerning health
8

9. 6. Data concerning health
• Article 83: exemption for scientific research purposes, subject to data
minimisation measures such as pseudonomization and anonimisation.
• Automated processing subject to PIA
9

10. 6. Data concerning
health data case
study
• Performance data becomes health data

11. 7. International transfers
• Similar structure as under DPD:
• to jurisdictions with adequacy finding (new: country,
territory, sector)
• with “appropriate safeguards”
• BCR
• SCCs
• new: approved code of conduct
• new: certification mechanism with binding and
enforceable commitments
• “Privacy Shield” hopefully up and running in June
• it is not lawful to transfer personal data out of the EU in response
to a legal requirement from a third country – big fines possible

12. 12
GDPR: threatening healthcare

13. Timeline for adoption
• GDPR likely to be adopted in June 2016
• Transitional period of two years
• And then there are the delegated and implementing acts that need to be
adopted to make the GDPR properly operational
13

14. www.axonlawyers.com
THANKS FOR YOUR ATTENTION
Erik Vollebregt
Axon Lawyers
Piet Heinkade 183
1019 HC Amsterdam
T +31 88 650 6500
F +31 88 650 6555
M +31 6 47 180 683
E erik.vollebregt@axonlawyers.com
@meddevlegal
B http://medicaldeviceslegal.com
READ MY BLOG:
http://medicaldeviceslegal.com