“Let’s say you’re a clinic that specializes in diabetes [and] you’re used to taking data and sending it to a general database to [collect information] about diabetes,” Mr. Barchie said. “You can’t do that under GDPR. You would have to have a separate consent form for that. So one consent to provide your diabetes service, one consent form to maybe market to the [patient], and a separate consent form [regarding] the database.”
GDPR also requires the minimizing of personal data copies stored within multiple systems. In the United States, it’s not uncommon for there to be multiple copies of a person’s data in several places, which makes sense from an IT perspective, Mr. Barchie said. The GDPR however requires that data keepers limit the number of copies they maintain to only the most necessary information.
“[Under GDPR], you should send only the data that you need for that particular process,” he said. “For example, [in the case of] address, user name, and patient ID. If you only need the patient ID number, you should not send the patient name and address. You minimize the amount of data that you’re sending to be processed.”
Breach notification also is more stringent under the GDPR, compared with U.S. regulations. Under HIPAA, covered entities must notify the U.S. Department of Health & Human Services and affected patients of a data breach without unreasonable delay no later than 60 days following discovery of a breach. The GDPR requires that effected entities notify the supervisory authority “without undue delay and, where feasible, not later than 72 hours after having become aware of [the breach].” (The GDPR supervisory authority depends on the EU country affected.)