The impact of RGPD/GDPR on Healthcare Institutions: the 6 key requirements to look out for
Interview with Jean-Yves Haguet,
Security engineer at health software publisher Enovacom
Can you remind us what RGPD (or GDPR) is all about?
The General Data Protection Regulation (RGPD) is a major European regulation to improve peoples confidentiality rights by defining security requirements to protect and process personal data.
Any organisation responsible for processing personal data, such as companies or healthcare facilities, will be held accountable and sanctioned for failing to comply with requirements are dissuasive. Penalties can be very severe for companies with a fine between €10m (or 2% of turnover) and €20m (or 4% of turnover) depending on how serious the offence is.
How long until the regulations come into effect?
The RGPD comes into effect on 25th May 2018 and will also apply to the 28 member states of the European Union despite the current high level of disparity regarding data protection regimes. This is the case for every company in the world which supplies goods and services to European citizens and collects, hosts and handles their personal data.
What is the expected impact in France compared to previous regulations?
Previous French national regulations (such as the CNIL) only covered individuals basic rights such as the right of opposition, data access, modification and deletion, everything subject to a legitimate motive. The RGPD now covers new rights: the right to be forgotten, the right to treatment limitation, the right to portability, the right to object to profiling and the right to limit data collection and usage. This is a major change as it is no longer just a matter of filling in a declaration form. A data processing manager must perform a risk assessment for every operation which includes personal data and be able to show proof that the relevant risk-reduction measures are in place.
What are the essential first steps to act on now?
As we are only a year away from this regulation coming into effect, it is essential to get organised sooner rather than later. And as with any IT systems security regulation, the RGPD applies to every company or healthcare facility department as many procedural changes are in the pipeline. Therefore, it is necessary to combine implementing simple measures that have a significant impact on raising data protection levels with substantial work on the most complex procedures, which will have to be done gradually.
To get the project underway, here are the first six key steps:
Step one is to designate a DPO (data protection officer) who could of course be a CIL (IT & liberty correspondent) or an RSSI (information systems security officer)
Step two is to map out how personal data is processed and pay particular attention to any data given to subcontractors. This is then used to create the essential register which must be kept updated
Stage three is a risk analysis to prioritise what action needs to be taken
Step four is to start setting up measures deemed as priorities
Step five is to create or update procedures specifically required to comply with the RGPD such as revising consent or notification procedures
In the final step 6, compliance must be documented by auditing and proof must be kept. Being able to stick close to existing procedures is essential for efficiency and overall coherence.
What benefits can we expect from implementing the RGPD?
It will benefit people by increasing their personal data rights, making it easier to access data and check for it accuracy, and appeals in case data is accessed without consent.
It will benefit businesses and healthcare facilities by providing them with a detailed universal legal framework. This means that it will help enhance the free circulation of personal data within the European Union – one of the RGPDs clear goals – and develop personal data processing activities.
What kind of solutions does Enovacom have to enable healthcare facilities to comply with the RGPD?
Enovacom solutions guarantee data is kept confidential. We have expanded from our range of software applications dedicated to securing healthcare IT systems. Today we address Identity Access Management (IAM) difficulties with two solutions: our healthcare facilities directory and our identity repository – ENOVACOM Identity Manager and the Single Sign-On ENOVACOM Secure Login.
The goal is to ensure healthcare institutions have an identity and access management solution which includes a fully-customisable meta-directory able to have an operation processing register as set out in article 30 of the RGPD. As it happens, our tool enables users to define information access policies, manage different repositories’ access rights, obtain consent via a web form, give notifications about monitored events which are expected or feared and generate statements for regular checks. The SSO solution will use an effective password policy to give access control.
Aside from IAM implementation policies, it is also necessary to protect the data being exchanged with encryption. This is one way to ensure integrity and confidentiality when sending and receiving information. The application of the RGPD should support this approach.
As a software publisher, is Enovacom affected by the RGPD?
As a healthcare and IT security software publisher, Enovacom is naturally aware of problems surrounding information protection – anything from patient data to medical staff. But like any company that does not have an exemption, the RGPD affects Enovacom and applies to its clients, its partners and its employees’ personal information.