3 things you must know about the new EU data regulation

July 9, 2016
.  written by 
Jón I.

On the 4th of May 2016, the Official Journal of the European Union published the new EU regulation 2016/679 (GDPR), and directives 2016/680 and 2016/681 in their final form. Both directives and regulation entered into force from the 24th of May 2016, and shall fully apply from the 25th of May 2018. With this new regulation in place, the older directive 95/46/EC, which is often referred to as ”the golden standard for data protection”, is repealed with effect from 25 May 2018.In short terms, we now have a newly functional regulation which covers data/information privacy of all residents in all member states of the European Union.

Myths regarding data privacy have been circling around for years, due to contrasting laws in different EU member states, lack of knowledge, and mixed personal opinions on the matter. With this new regulation and directives in place, this will hopefully change for the better. However, accomplishing compliance with this new regulation will be a huge task for those who aren’t experienced with data privacy or security standards. During the course of the next 2 years, all actors and organizations, which act as controllers or processors of information about residents of the European Union, shall comply with this new regulation. All member states shall therefore enforce this new regulation according to the two directives. If you, or your organization in any way, act as a data controller, or data processor regarding personal identifiable information (PII) of EU residents – especially in combination with healthcare data, you shall comply with this regulation. In addition, not only should you know the three things highlighted in this article – but also be aware of all other requirements set forward, when designing or implement solutions which are to process PII. Without diving into too many details, here are the three things you should be aware of from the new regulation.

1. Pseudonymization, or encryption alone does not make you compliant

Many believe that by “pseudonyming” or encrypting information, you will be safe and compliant with data privacy standards. This is wrong. Although the data cannot be read in clear text, it is still PII and must be treated as such. From now on, ANY type of data which can be tracked back to a natural person, whether it’s an address, biological data, e-mail, or a telephone number, shall be treated as PII and must be processed as such – it doesn’t matter if the information alone is linked directly to a name or not, or if a person with access to it can understand the data or not.

2. Documentation on how you control and process information can be requested, and failing to report can have major consequences

From now on, member states agencies can request data controllers and processors to report, and document how PII is handled and processed. This does not only require you to document your internal organizational structure for information security, but also on how your systems process PII – and even how they are designed and validated to do so. Quality assurance documentation, standard operating procedures, and organizational structure now play a major role in complying with the new regulation.

3. If you have less than 250 employees, you must still comply with the regulation

Although the regulation specifies that some of its articles do not apply to smaller or micro organizations, or those with less than 250 employees you must still be aware of the regulation’s context. In addition, member states CAN enforce similar or same laws to smaller organizations as described in the regulation, which WILL affect your organization. Being wrong on the matters of data privacy can have major consequences. From now on, member states or the EU, can now enforce administrative fees of up to 20.000.000€, or 4% of a total worldwide annual turnover, if any infringements are found or reported. Therefore, if you, or your organization has anything to do with controlling or processing PII, you SHOULD be aware of how you would comply with the regulation and the laws of your member state. If you would like to know how MEDEI can help you to comply with the new EU regulation for clinical data collection, or designing systems intended to process PII together with healthcare related data, contact us now via e-mail by using the form to the right. Remember to sign up for our newsletter!