GDPR Industry Focus: Impact of GDPR on Healthcare, Pharma, and PHI


Written by: Andrew Steioff

Reviewed by:
Updated: November 15, 2022

Table of contents

The May 2018 implementation of the GDPR will impact the healthcare industry with numerous requirements that will necessitate stringent policies and procedures for compliance.

What is The GDPR?

The General Data Protection Regulation (GDPR) is a European Union law that will have a great impact on any company that processes EU citizens' data - even if the company isn't located in the EU. The GDPR will be in effect on May 25, 2018, and companies are encouraged to begin preparations now in order to meet the requirements by its implementation.

GDPR and the Healthcare Industry

The GDPR regulates personal data one step further and creates special categories for data in the healthcare industry. This data is subject to higher standards of protection since much of the data utilized in the healthcare industry is considered as 'sensitive personal data'. The "biggest impact will be on pharma [pharmaceutical] and biotech [biotechnology] companies, because they're working in a global environment [and are] high-profile providers that may have a very specialized service that they're globally known for," states Healthcare Informatics.

4 Key Areas of GDPR That You Need To Know

1. Important Terms

There are four terms that specifically impact the healthcare industry in the GDPR. They are:

  • Data Concerning Health- personal data related to the physical or mental health of an individual
  • Genetic Data- personal data relating to inherited or acquired genetic characteristics of a person which give unique information about the physiology or the health of that person
  • Biometric Data- physical, physiological, or behavioral characteristics of a person, which allow or confirm the unique identification of that person, such as facial images or fingerprint data
  • Sensitive Personal Data- includes the three types of data listed above; processing of this data is prohibited unless specific conditions defined in Article 9(2) of the GDPR apply

2. Prohibited Under The GDPR

When the GDPR comes into effect, corporations or individuals will no longer be allowed to process a person's data in order to reveal an individual's race or ethnicity, or use genetic or biometric data to uniquely identify a person. It will also be illegal to process data concerning health or data concerning someone's sex life or sexual orientation.

3. Conditions that Allow Processing 

The GDPR recognizes that there are certain extenuating circumstances where an individual's data must be processed. If any of the conditions outlined in Article 9(2) of the GDPR are met, the data may be processed; below are three key conditions which may apply:

  1. If the data subject has given "explicit consent" (see below for the definition of consent) to the processing
  2. If "processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services [...]"
  3. If "processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices [...]"

4. Consent

Consent will also be a requirement under the GDPR. Clear consent must be given in order for a company to begin processing someone's data. Consent can no longer be assumed by silence, pre-selected boxes, or inactivity, and it must be separate from other terms and conditions. Within the healthcare industry, the GDPR requires 'explicit' consent. While there is no specific determination between 'consent' and 'explicit consent' within the GDPR documentation, for healthcare purposes it is likely to require the most obvious and strongest forms of consent such as a checked boxed in agreement or a declaratory statement.

Pharmaceutical companies collect a large amount of personal data including subject data from clinical trials. Consent is one of the biggest challenges facing pharma companies. Article 9 of the GDPR requires specific consent for sensitive personal data which includes genetic data, biometric data, and data revealing ethnic origin.

Impact on the Healthcare Industry

The healthcare industry will be required to be even more diligent with personal data than current requirements demand. Within the GDPR, companies will be required to show how they are in compliance, not just report that they are in compliance. This responsibility has tremendous consequences. For those not in compliance, there is a potential 4 percent fine based on global revenues or €20 million, whichever is greater.

One of the most notable changes under the GDPR that greatly impacts the healthcare industry is mandatory data breach reporting. Data breaches must be reported to a data protection regulator within 72 hours, and the individuals affected must also be notified of the breach. The healthcare industry must have clear, practical, and effective procedures in place that can be acted upon immediately in order to meet these requirements.

Ensuring Compliance

The wide-ranging requirements of the GDPR which must be implemented in a compressed time period present significant challenges for organizations in healthcare.

LogicGate is helping companies meet GDPR compliance requirements by centralizing and automating critical new processes that now need to be executed to achieve compliance - as well as enhancing existing manual processes, such as third-party risk management, that must incorporate additional privacy considerations when assessing data processors.

With May quickly approaching, the more you can centrally manage and automate the extensive GDPR requirements, the closer you will be to reaching compliance.

Related Posts