If you’ve been on the internet lately, (which, hi!) you’ve probably seen something about the General Data Protection Regulation (GDPR) or even noticed some privacy pop-up messages on your favorite sites. But what exactly is GDPR? And what does it mean for healthcare?
You’ve got questions. We’ve got answers.
Wait, what's GDPR?
GDPR is a European Union (EU) regulation designed to protect individuals' personal information and give them greater rights to data privacy.
But our healthcare organization isn’t based in the EU, so we don’t need to do anything about this, right?
Wrong. It doesn’t matter where in the world you are located. Even if you have no entity or presence in the EU, the GDPR applies to your organization if you collect, store, or otherwise manage the personal data of people who live there.
All organizations that either intentionally or unintentionally collect, store, or otherwise process data from people living in the EU must comply. In today's borderless economy, that means virtually all organizations are affected. You can’t put a fence on the internet, after all.
How does GDPR affect us?
To further understand how GDPR affects you, you need to determine whether your organization is a controller or a processor.
• A controller is a company that collects personal data and then decides what to do with it. Use cases that are very common in healthcare provider organizations include collecting email addresses for a health newsletter, as part of an online HRA, or for online appointment requests.
• A processor is a supplier that handles the data on behalf of the controller. As an example, in the above examples, your organization would be a controller and your newsletter provider/agency would be a processor, if they are emailing the consumer on your behalf.
The primary responsibility for GDPR compliance lies mainly with the controller, particularly when it comes to securing user consent. However, processors are equally liable for how they handle data.
What should we do to ensure our organization is covered for GDPR?
To help ensure compliance, follow these steps and look to additional resources for more information.
1. If you collect data or manage data of individuals who live in the EU, intentionally or unintentionally, then you will want a consent applied to your site. (See example in lower right: https://www.crownpeak.com/)
2. Cookies are considered personal data under GDPR. Add a website notification where visitors can choose to opt in or out of cookie tracking. Here's a handy how-to.
3. GDPR requires companies to have a comprehensive understanding of all data they collect.
4. Be sure your web forms tell people exactly what they are opting into and should expect. Do not use auto-check boxes to opt people into your mailing lists. They must take action to explicitly opt in.
5. Audit your email marketing list. Have EU consumers explicitly opted in to hear from you? If they were automatically added to your list because they completed an HRA without opting into further communications, they were a patient in your emergency room, etc., you do not have explicit permission to email them. Remove old, unengaged contacts, and send an email asking others to confirm their opt-in. Remove those that don't.
6. Be sure your email marketing messages have a clear, easy-to-use opt out. This is also required by CAN-SPAM in the U.S., so should be standard.
7. Check out what the other companies in your MarTech stack are doing about GDPR and implement new features as appropriate.
Now, here's our legal disclaimer: Influence Health is not an expert in GDPR law and legal compliance. These are the steps that we are taking for our own marketing efforts and are helping some clients navigate. This is not a definitive list. We recommend engaging your own legal and compliance departments for explicit interpretation of GDPR law and requirements.