Lunch&Learn: What Health Tech Startups need to know about GDPR

We welcomed Jamie Foster from Hempsons for our Lunch&Learn session on the topic of GDPR and what health tech startups need to know about the new legislation.

What is GDPR?

Jamie began the session by clarifying what GDPR (General Data Protection Regulation) is and what it isn’t. He explained the fear mongering that’s been associated with the new legislation. GDPR is meant to update what we have already in terms of data protection. If your business is already compliant, you should be OK with a few updates.

To explain what GDPR is, Jamie began by asking why is it needed?

The old Data Protection Act came into legislation in 1988; Google had only just been founded and it was still six years until Facebook would be invented. The world has moved on and technology has greatly advanced since then. The new legislation is meant, Jamie stressed, for the big tech companies like Facebook, Twitter and Amazon to ensure that they are processing data in a transparent way, but this doesn’t mean that small companies cannot ignore it.

Jamie explained that the GDPR, arriving on the 25th of May, will have no exemptions or grace period. Companies big and small will have to immediately follow it. Jamie stressed that this is an evolution of existing law - many key concepts of data protection at the core of the GDPR remain substantially the same but there are some changes:

  • A big focus on transparency as a key principle alongside existing data protection principles

  • Relying on consent as a condition of lawful processing is more difficult with the GDPR

  • A requirement to demonstrate compliance (accountability)

  • Privacy by Design rather than by Default with Data Privacy Impact Assessments formalising current best practice

  • The introduction of a Data Protection Officer role to inform, advise and monitor compliance

  • More controls on use of data processors eg. payroll provider. All contracts with any organisations need to be compliant.

  • Greater focus on rights of data subjects

  • Implied consent in direct care of patients

Jamie used the example of the Google Deepmind / Royal Free Hospital scandal as reasons why the data protection compliance needs to be updated, Google Deepmind used information in a way that wasn’t clearly stated to patients. With  GDPR, companies such as Google Deepmind, Amazon and even Apple have to be transparent when dealing with personal patient data. Deepmind failed compliance by using the data for different purposes than those they had originally stated.

A top tip from Jamie for health tech startups dealing with patient data was rather than having a Data Protection Officer (see slide) to monitor compliance of the act, to nominate a Data Protection Lead instead as it’s not clear in the guidance at what level your organisation needs a Data Protection Officer (DPO). Jamie advised not to jump to getting one, as then you’ll be caught up in the logistics and legal requirements of having one. A Data Protection Lead would suffice, as startups are small and new in nature.

Do you need consent from users of your product?

Jamie focused on the area of consent in the GDPR to try and remove any misconceptions about the topic. There is a view that you have to get consent with everything and anything you do but this isn’t the case. However, you should always:

  • Ask your customer or patient for consent to be fair (and to cover yourself)

  • Use plain English, allowing them to understand

  • Consider an option of making a framework of values and ethics board to show the reason for your interest in their consent to be transparent with the information

  • Have IT audits and record-keeping processes with policies and procedures, to help cover yourself in case of complaints

Jamie advised companies to train each and every member of staff on GDPR, on consent, accountability, transparency and compliance. It is no good just training the CEO or founder of the company. It is much better and safer for compliance if everyone is aware of the new legislation and what it really means for businesses.

Potential Risks: Why it’s important to get compliance right

If you fail to comply to the new legislation the fines can be up to €20,000,000, Jamie explained that the rise in fines was to match tech giants like Google who have bigger capital, rather than to spread fear in SME’s. Another interesting point raised was that there have been recent fines on data breaches arising from an employee’s deliberate disclosure. Jamie used the example of a disgruntled Morrisons’ employee who leaked every member of staffs’ HR details onto a public site.

Another tip for getting compliance right was making sure data was anonymised properly so individuals cannot be re-identified with matched data. Startups are lucky in the fact that they don’t have years worth of data, so they don’t have as much to be accountable for.

Under GDPR people have a right to withdraw their consent and you must return the data. But this can be problematic in healthcare as there are rules around keeping healthcare data for a set time. It’s worth saying in your privacy policy that you are relying on healthcare practices for your data but you want to be fair and extend the provisions. Jamie advised to always delete data which isn’t needed.

Another area of compliance is in your Terms & Conditions: it is no longer viable to have a five-page list of small print that hides how you share personal data, it now has to be transparent and obvious.  

4 Practical steps to be compliant

1. Carry out a data protection impact assessment to identify your information flows and risks. Questions to ask your business in this audit:

Q1: What types of data do you hold? Personal or sensitive personal data? On staff? On customers?

Q2: Why are you holding the data?

Q3: What is the justification for processing? Are you relying on consent or another lawful basis?

Q4: What are your security arrangements? Where is the data held / how is it stored? When do you destroy it?

Q5: Who has access to the data? Which staff access it? Is it shared externally and if so how? Can you segregate the data so staff only access what they need?

2. Integrate data protection compliance into your product at the outset (‘privacy by design’ and ‘privacy by default’), for example, use anonymisation and pseudonymisation so that processing of personal data is kept to a minimum. An example of this in practical terms is the Long Terms Conditions Test Bed project in the North West. Data was put into a controlled environment to be processed as it needed to be re-identified to go back to GPs and identify the patients at risk.

Also, make sure your security measures are up to date eg. access controls/segregation of data etc...

3. Develop a clear Privacy Notice (and related documents such as T&Cs / consent forms) which transparently set out your justification for processing personal data (the lawful basis for doing so) and what you will do with it. The more sensitive the data the more you need to have people agree with this notice and related documents (rather than hiding it).

4. Demonstrate compliance with accountability requirement by being proactive:

  • Stress test IT systems and make sure they are secure

  • Put robust record-keeping processes in place especially for data deletion

  • Have policies/procedures for data protection e.g. if someone wants to be removed

  • Roll out training for everyone in the organisation

  • Review data processing agreements to ensure compliance

  • Consider a DPO or lead

Jamie explained that if you are to follow these steps you’ll be compliant with GDPR. He made the point that GDPR wouldn’t become like the new PPI, with companies out to catch you for data breaches in order to make claims against you. This was the general consensus and worry around the issue, but he explained it was simply fear mongering.

He went on to say that data security is very important. Data breaches can be made without your company or employees doing anything wrong themselves. Carphone Warehouse was hacked, breaching their security, and was fined because of it.

The best thing you can do to make sure you are meeting compliance is to make your privacy notice a pop up that clearly states what you’ll do with the data you’re collecting and why you need to collect it in the first place. Again transparency is key. Jamie used the recent example of Cambridge Analytica and Facebook - they had stated that they’d share information to third parties, but this information was invisible. It was hidden in the small print somewhere, which means they didn’t do anything illegal. Now, however, under the new legislation, they could be persecuted for not being transparent enough.

Conclusion

Jamie’s two takeaways from this GDPR Lunch&Learn were:

  • Transparency: be open and honest with what you are doing with the data you collect
  • Accountability: The processes you follow to show you are compliant

A big thank you to Jamie for sharing his knowledge on GDPR, which comes into effect in the UK on 25th May. Make sure to join us for our next Lunch&Learn on Medical Device Design and CE Marking Basics on 9th May.