GDPR – Things You Need to Know as a Data Controller and Processor in the Healthcare Industry

Home » GDPR – Things You Need to Know as a Data Controller and Processor in the Healthcare Industry
  • Mar 23, 2018
  • Posted By: admin
GDPR for the healthcare Industry from MedicoReach .jpg

For those who keep track of the industry news and updates must be aware of what GDPR is and how it’s going to impact companies that store and process personal data. A lot of people have written about this new data protection regulation called the General Data Protection Regulation (GDPR) that aims to protect the personal information of not only the EU (European Union) citizens, but also tourists, residents, and visitors within the territorial boundary of states coming under the union jurisdiction.

GDPR will come into existence on 25th May 2018, although it was enforced two years back on 24th May 2016.And as the date for its final implementation is approaching, companies are filled with apprehensions and confusions about how GDPR will be applicable and what they need to do to remain compliant with the data protection rules.

What is GDPR all about and to whom it applies?

GDPR is a regulation brought into existence by a collaborative effort of the Council of the European Union, the European Parliament, and the European Commission. The new regulative is a replacement of the existing Data Protection Act 1998 on which the Europe currently relies.

With this GDPR, the government wants to transfer the power of data into the hands of the people who will now have complete control over their data. The purpose of introducing stricter data protection measures is mainly for two reasons – firstly protecting the data privacy of citizens of all the 28 EU member states to sustain people’s trust in digital technologies and to offer companies a much cleaner and legalized environment to work. The increasing public concern on data privacy led to the creation of more stringent rules to regulate the way companies use, store and process its citizen’s data.

As the new legislation revolves around data security, so it’s quite apparent that it will have an impact on businesses dealing with data. So, all the data controllers and processors will have to abide the compliance rules set by GDPR to avoid hefty fines. Even though you may not have a physical presence within the EU but as long as you deal with the data of its citizens you have to comply with GDPR.

What type of data GDPR protects?

According to the guidelines of GDPR, the various types of public data that needs to be lawfully treated, processed and utilized for a specific purpose include:
• Primary data like name, phone number, postal address, etc.
• Biometric details
• Ethnic data
• Sexual orientation and political views
• IP address, Cookies, RFID tags and all other web data

Though much has been talked about GDPR but hardly have we come across any valuable inputs that will offer an overview of what GDPR will mean for the healthcare industry in specific. As the date of its implementation is getting closer, healthcare providers are in a state of confusion with incomplete knowledge on how GDPR will impact them. They have many questions that need an answer.

How will GDPR affect the US Healthcare Providers?

As already in the US, the healthcare industry is governed by the strict HIPAA (Health Insurance Portability and Accountability) guidelines safeguarding all the medical information, healthcare providers are in confusion about what the whole scenario will be after GDPR comes into the scene.

Well! Based on the news so far it is quite clear that even the US healthcare providers have to be GDPR compliant if they deal with patient data of EU’s citizens. For instance, in case of patient data transfer during a clinical trial, if the US healthcare company receives data from Contract Research Organization (CRO) in EU, the GDPR compliance rules will be applicable on the provider.

Hence with the enforcement of the new regulation, the US healthcare companies will have to abide GDPR along with HIPAA to avoid charges for non-compliance.

Health-related Personal Information that Comes under GDPR Vigilance

Earlier in EU’s data protection directive, there was no specific definition of health data. Now, with GDPR EU has precisely defined it. According to the Article 4 of the legislation, any personal data that reflects information about the physical and mental health of a natural person along with his/her health status, etc. comes under the term ‘health data.’ And the GDPR aims to protect the privacy and usage of these data giving patients the right to their data.

For using processing, storing, and accessing health-related information such as biometric details, genetic data, medical history, etc. both healthcare providers working within the territory of EU or outside of its geographic barriers will have to adhere to the data privacy and protection compliance rules as mentioned by the GDPR.

Compliance Features of GDPR that American Healthcare Provider Should Comply

Patient’s Consent to Data Use

Based on the first-hand understanding of GDPR, it may sound similar to HIPAA. But if you are doing so, then correct yourself now. Though there are certain similarities between the two when it comes compliance part, GDPR is much more stringent than the US legislation body HIPAA.

HIPAA’s approach is more of organization-centric and is targeted towards protection of patient data from security threats. Under its regulations, patients are not given any control over the accessibility and usage of their information by any organization. On the contrary, GDPR states that pharmaceutical or healthcare companies would need to get patient consent first to store or access their medical data.

Right to Delete Data

When patients have been given freedom to decide on whom they would permit the rights of their data, it won’t be surprising to know that GDPR also allows them the right to ask the organization delete their data once the purpose of its use is complete. The EU’s new data protection legislation offers the patient the right to exercise the forgotten rule.


It won’t be wrong to say that GDPR will bring in massive transformation in the way businesses treat and process data for their commercial purpose. Moreover, EU’s extended reach to other regions with its GDPR has left companies worldwide in a complicated situation making things difficult for them. Some of the US companies have already expressed their concern over the competitive disadvantage they will have as compared to European companies.

If statistics are taken into consideration, one can notice that majority of the organizations dealing with data are still not ready to comply with GDPR. However, to measure the impact of GDPR, we will have to wait for some more days and keep an eye on what will happen next.



Scroll to Top
Data Consultant