Sweeney Williams, vice president of security, privacy & compliance at Vision Critical, analyses the steps that heathcare and healthtech companies need to take surrounding data privacy and security.
GDPR has changed how companies around the world do business in the EU and beyond. Healthcare and healthtech organisations navigating the changing regulatory landscape around data privacy need to prepare their staff, systems, and infrastructure for the sweeping changes that will continue to come as a result of GDPR, California’s CCPA (which, despite some popular misconceptions, does apply to healthcare organisations in many cases), and other laws under consideration. Customers support these laws and want healthcare companies to be transparent about how their data is collected, who it is shared with, and what it’s used for.
Healthcare and healthtech companies have an added regulatory obligation to protect patient information since health data is designated a special category of personal data under GDPR. In addition, with the shift toward digital health including smart devices, mobile health apps, and the healthcare-related internet of things (IoT), companies must be more vigilant than in the past because there are more opportunities for data breaches and other security risks. Companies who fail to adequately protect patient data risk both financial and reputational damage.
Not sure of what these new data privacy laws mean for your company? Below is a checklist to help your organisation consider what regulators will be looking for in the event of an incident, as well as an outline of how these laws benefit consumers and businesses alike.
Data privacy and security checklist
- Cover the basics: Some of the issues giving rise to the large fines against British Airways and Marriott International occurred because websites were not protected against common web application security risks, which led to the injection of unauthorised scripts. Companies must constantly improve the protection of their websites and applications, starting with the most common risks, to help reduce the likelihood of such attacks.
- Be diligent. Another issue is the importance of performing adequate due diligence of acquisition targets. Your security perimeter extends beyond the boundaries of the networks your company directly controls and this advice should therefore extend to your vendors and partners.
- Be prepared. No company is perfect, regardless of how many resources they assign to security. Things can and will go wrong eventually. If you suspect any data compromise, a prompt and robust breach response is vital. This includes quickly and accurately informing customers and regulators of what happened what steps your company is taking to reduce harm, what steps customers can take to protect themselves, and what you are doing to protect the data still under your care. While it might be tempting to hide or delay reporting an incident for fear of financial or reputational damage, an open and honest response not only promotes trust and transparency with customers, it also potentially limits the impact on those affected. It also demonstrates that your company is pursuing a notification process aligned with GDPR and other data privacy regulations.
Benefits of data privacy regulations to individuals
- Individuals have more control over the trade and sale of their data, with the right to request access to their personal data and ask how it is being used by a company after it is collected, as well as the right to have their data deleted.
- Individuals have strengthened opt out rights. Under CCPA for example, individuals can opt out of having data sold to another entity while still being allowed to enjoy the services a company or website offers.
- Individuals have the right to increased, detailed disclosures about what data is collected from them, where it is processed, how it is protected, and what obligations the business must adhere to in the processing of that data.
- Individuals also have additional legal options at their disposal, including the ability to bring suit against a company if data is exposed, which means greater legal and financial incentives for companies to protect consumer data.
Benefits of data privacy regulations to businesses
- Regulations provide an impetus for companies to do great data hygiene. This means better data mapping/cleansing so businesses understand what’s happening to the data processed by their organisation.
- The requirement to be overly transparent in privacy notices fosters trust and better relationships with consumers.
- S. and other non-EU businesses are pushed to perform GDPR-level exercises and examine where data came from and where it’s going in great detail.
- Ideally, regulations promote more patient and customer-centric strategy as businesses put mechanisms in place to protect data rights.
When consumers put their trust in a company and provide it with their sensitive information, that trust must be respected with proportionate and adequate defences. All organisations that process personal data must prioritise data protection and ensure that appropriate resources are assigned to the creation, maintenance, and constant improvement of security and privacy practices. Failure to do so will make it difficult, if not impossible, for organisations to avoid regulatory fines when things go wrong.
But data privacy isn’t just about regulatory compliance. As businesses audit their data privacy protocols and processes to comply with existing rules and implement consent-based data collection, they will be better prepared for what’s coming. Perhaps more importantly, they will also bridge the gap between personalisation and privacy to help build and maintain the trust of their valued customers.