Written by 15:56 Media

The impact of GDPR on health data: from regulatory constraint to strategic resource

What are the rules and strategies to be followed to exploit these information assets while respecting the rights and freedoms of data subjects?

Dati sanitari

by Rocco Panetta and Federico Sartore on AboutPharma

With the entry into force in 2016 and the subsequent application, from 2018, of the Gdpr, the new European regulation on privacy and personal data protection, the entire landscape of data processing and use has undergone a conceptual and regulatory revolution. This paradigm shift – which has entailed, among other things, an increase in the autonomy and accountability of data controllers and data processors, as well as an increase in penalties of up to EUR 20 million or 4% of turnover – has had a particularly marked impact on all entities that manage health data in various capacities, probably the most sensitive category of personal data, even compared to the already restricted group of so-called sensitive data.

The richness of these information assets, combined with the constant risks for the fundamental rights and freedoms of data subjects in an almost completely interconnected digital world, require industries that centrally process health data to put the issue of personal data protection at the top of their agendas in terms of priority and urgency. A careful and legally evolved approach to data protection not only enhances the overall value, including the economic value, of the company that controls it, but also significantly reduces the risk of incurring heavy financial penalties from data protection authorities, not to mention the reputational damage and compensation claims by data subjects.

With reference to the activities of the Supervisory Authorities, the latest Annual Report of the Italian Data Protection Authority (2019) shows how the application of the GDPR rules has significantly affected several aspects of the health data lifecycle. In fact, personal data breaches consisting in the erroneous communication of clinical documentation to persons other than the data subject, in particular through email, the Electronic Health File (EHR), the health dossier and other online reporting tools, have been very frequent. In addition to this first class of cases, there are also more complex issues concerning the processing of personal data for health care purposes in a broader sense, but not strictly necessary (medical apps, customer loyalty and marketing, the above-mentioned online reporting tools), as well as for purposes completely different from health care, such as, for instance, scientific research or the participation of the data controller companies in public tenders in the health sector….

Originally published on AboutPharma.