On May 25, 2018, the General Data Protection Regulation (GDPR) in the European Union (EU) takes effect. The premise behind GDPR is to recognize that the protection of natural persons in relation to the processing of personal data is a fundamental right. GDPR Recital 1. Many health and wellness companies in the United States may wonder what, if anything, must they do to comply with this new law. If your health or wellness company has an internet presence, such as through a website, read on to see if GDPR applies to your company and if so, what you need to do about it.
In general, GDPR applies to “controllers” and “processors.” The law defines controllers as an entity that determines the purposes and means of processing personal data. GDPR Article 4.7. This may include an employer or health care organization, for example. The law defines “processor” as an entity that collects, records, organizes, structures, stores, adapts, alters, retrieves, consults, uses, discloses, disseminates, combines, restricts, erases or destroys personal data. GDPR Article 4.1 and 4.8. “Personal data” is data that relates to an identified or identifiable natural person (i.e., “data subject”). GDPR Article 4.1.
Controllers may hire processors to work with personal data on some level. So, one useful analogy may be to compare controllers with “covered entities” under HIPAA, and processors with “business associates” under HIPAA. If you are a health or wellness company that works with personal data, such as through a wellness portal or application, you must next determine whether your company interacts with any “data subjects” under the GDPR.
There are three types of companies that interact with data subjects and who therefore fall under the auspices of the GDPR:
It is important to note that GDPR application is not tied to EU citizenship. Thus, EU citizens located outside the EU would not be protected by GDPR. Likewise, US citizens located in the EU would be protected by the GDPR. GDPR applies to “natural persons” located within the EU, regardless of their citizenship. It does not apply to “legal persons,” such as corporations. GDPR Recital 14.
While spelling out all the legal requirements and details of the GDPR is beyond the scope of this post, there are some overarching requirements of which health and wellness companies subject to GDPR should be aware.
Health and wellness companies that are subject to GDPR have a number of new obligations under the law. A robust data privacy and security compliance program will help health and wellness companies comply with the new requirements, and help clients of those companies feel confident in the company’s privacy and security practices. With almost daily reports of data privacy intrusions, more legal protections are certain to appear. Implementing strong policies and procedures to protect data privacy and security now will not only lighten the load of GDPR, but future laws as well.