India’s burgeoning health sector could become a victim of its own success if it does not take into account the General Data Protection Regulation (GDPR). At first glance, a warning for establishments in India about this new regulation of the European Union might seem strange. However, India has become a destination of choice for medical tourism. Patients from European countries are attracted by more accessible operations and shorter waiting times. In these cases, Indian hospitals will handle the personal information of European citizens and the GDPR will be applied.
The considerable expense of noncompliance
It is important to understand what is at stake. The GDPR, in force since May 25, 2018, requires any entity to collect or process data on EU citizens that adequately protect such data. It also requires that entity to defend the various rights of EU citizens on the use, transfer and disposal of their data. Fines for breach of the GDPR can be high. Currently, the maximum is 20 million euros, around ₹ 160 Crores, or 4% of the annual global turnover, whichever is greater.
On the road to compliance with GDPR
How should Indian health organizations handle their new responsibilities under the GDPR? A starting point is to know the main categories of rights and obligations that should be observed. In each case, the organization in question needs to assess whether the solution is better technology, changes in internal processes or both.
Provide data protection at all levels
Hospitals and other health care facilities must be able to demonstrate that they are taking adequate precautions to protect everyone’s data correctly. This includes data in storage (using disk encryption, for example) and in transit (for example, secure network links). Technology will play a role in preventing unauthorized access and will alert IT teams to abnormal events or data flows. The policies of access to information that limit access to the “need to know” and the awareness of the security of the information of the personnel will also be crucial.
Increase and maintain GDPR awareness of staff
The majority (80% according to some estimates) of leaks and data leaks can be attributed to human error. It is possible that caregivers and other staff members still do not understand the importance of proper handling of confidential data. Regular awareness campaigns and training sessions are good practices anyway and should now be updated to include GDPR. Providers and partners must be evaluated for staff awareness and GDPR compliance as well.
Use only approved forms to obtain patient consent
According to the general regulation of data protection, the consent of the persons for the use of their data must be “free, specific, informed and unambiguous”. This means that the terms and conditions must be clear and simple. The consent must be opt-in (without consent by default). If the data is to be used for any purpose other than medical care, this should also be made clear and an acceptance permit requested.
Respecting the right to be forgotten
Part of the GDPR refers to the right of the people of the European Union to have their personal data removed from the database of an organization. It may need to be balanced against other legal requirements, such as maintaining billing records for the medical care provided. Clearly, when there are no other legal requirements to retain data and an individual from the EU requires that their data be deleted, the organization in question must comply. For other cases, professional legal advice is recommended. This also applies to other people’s GDPR data rights, such as the right to rectify information and transfer it from one entity to another (data portability).
What happens if your health care organization does not comply with GDPR?
If your organization provides services to EU citizens and collects and / or processes your personal data, compliance with GDPR will be mandatory. If you do not yet have that compliance, your first immediate action will be to define a clear plan to quickly comply. The second step will, of course, be to quickly follow the execution and completion of your plan. Remember also that professional data consulting and security companies with GDPR knowledge and skills can help you guide your course towards compliance in an effective, efficient and timely manner.