healthcare sector

Healthcare sector: How to Comply With GDPR?

Since GDPR entered into force, the personal data protection has become more challenging to the Healthcare sector. Meaning that data must be managed with more of a holistic approach. Organizations must have certain procedures in place that can be acted upon immediately in order to meet the requirements. Starting with being more cautious with the personal data, knowing where it is being stored and how it is being processed. This applies for both, public and private sector:  hospitals and clinics, dental care, pharmacies, nursing homes, diagnostic laboratories, e-shops that sells pharmaceuticals, and every other company or organization that processes data concerning health.

The definition of sensitive data and conditions to process it

The GDPR defines personal data processed in the Healthcare sector as “sensitive data”. Therefore, standards for its protection are much higher and GDPR mentions three special references to data concerning health:

  1. Data concerning health – “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status”.
  2. Genetic data – “personal data relating to inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.”
  3. Biometric data – “personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.”

The processing of mentioned forms of data is allowed under certain conditions only, which are:

  1. The explicit consent to process the data is received from the data subject.
  2. “Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services […].”
  3. “Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices […].”

However, according to the GDPR, Member States may maintain or introduce further conditions, including limitations, regarding the processing of genetic data, biometric data or data concerning health. With the GDPR, data subjects gain more rights. For the Healthcare sector, the most important ones are the right to access that allows data subjects to access their health data that is processed. The right to data portability allows data subjects to transmit their health data to any other healthcare provider more easily. The right to be forgotten – the most difficult one to operationalize. It allows data subjects to request for termination on health data processing and it’s deletion.

It‘s stated under the GDPR that Healthcare sector should have a Data Protection Officer (DPO), since sensitive data being processed on a large scale. Carrying out a Data Protection Impact Assessment (DPIA) helps to evaluate the origin, nature, particularity, and severity of a risk to the rights and freedoms of individuals that processing operations are likely to result.

The Healthcare sector has an obligation to report security breaches (within 72 hours) not only to the local data protection authority but also to individuals whose personal data might be compromised. Clear, practical and effective procedures in the case of the breach should be thought through. Breach notification procedure, including detection and response capabilities, must be put in place. Therefore, training and fire drills should be done every once in a while, to keep the staff and the system ready.

In the case of a data breach, fines can reach up to 20 mln € or 4% of the global annual turnover, whichever amount is higher. The most recent breach in the Healthcare sector happened in Portuguese Hospital. The fine of 400 000€ was initially imposed for accessing patient data through false profiles. Read more about GDPR fines.

EU Member states may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State.

Steps for the Healthcare sector to take towards the compliance

In order to avoid any breaches, organizations must implement compliance points mentioned above, including reviewing contracts – DPA (Data Processing Agreements). As well as, updating policies, procedures, documentation, and records in order to be ready for inspections. Therefore, data processing activity records and data retention and deletion periods also should be in place.

Due to aging IT infrastructure and weak IT security practices, the Healthcare sector is one of the greatest targets for cyber-attacks. Meaning that technical security measures must be set in order to avoid unauthorized access, mishandle and loss of personal data kept in the server or cloud.


More on:

Share on facebook
Share on linkedin
Share on twitter
Share on pinterest
Share on email

Try our GDPR Compliance Tool GDPR Register for 14-days.

No credit card required.

Latest Posts
Personal Data Breach Reporting Requirements Under the GDPR

Personal Data Breach Reporting Requirements Under the GDPR

What is Data Breach? A personal data breach is security incident that results in the accidental or unlawful destruction, loss,...
Direct marketing rules and exceptions under the GDPR

Direct marketing rules and exceptions under the GDPR

Direct marketing includes text messages (SMS) and emails that a customer receives from a product or service provider. But activities...
Records of processing activities in GDPR Article 30

Records of processing activities in GDPR Article 30

What do companies have to include in the records of processing activities? GDPR Article 30 requires companies to keep an...
Data Protection Authorities (DPA)

Data Protection Authorities (DPA)

Data Protection Authorities (DPA) Data Protection Authorities (DPA) are independent public authorities that supervise, through investigative and corrective powers, the...
Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

What is a DPA? A Data Processing Agreement (DPA) is a legally binding document to be entered into between the controller...
GDPR compliance checklist for controllers

GDPR compliance checklist for controllers

This is a simple GDPR compliance checklist for controllers that you can use to ensure you have considered most important...
GDPR Basics: Are you a Controller or a Processor?

GDPR Basics: Are you a Controller or a Processor?

What are ‘controllers’ and ‘processors’? With this short and simple article, we will try to explain the basics of controllers...
Templates for Records of Processing Activities

Templates for Records of Processing Activities

As we see every day, most companies and organisations still keep their Records of Processing Activities in spreadsheets. Through our...
Web plug-in requires visitor’s consent

Web plug-in requires visitor’s consent

In the light of the recent ruling of the European Court of Justice, website owners have to bear in mind...
First GDPR fine issued in Lithuania

First GDPR fine issued in Lithuania

A year after GDPR came into force, the Lithuanian Data Protection Authority (VDAI) has issued its first administrative fine. UAB ‘Mister Tango’,...

Zpracovává vaše společnost osobní údaje?

Zpracovávat vaše společnost osobní údaje fyzických osob, jako jsou:

  • Údaje zaměstnanců, zákazníků, uchazečů o zaměstnání nebo pacientů včetně:
    • Jméno nebo osobní identifikační číslo
    • Kontaktní údaje (e-mailová adresa, telefonní číslo, adresa)
    • Bankovní údaje, plat, údaje o pasu nebo jiné osobní údaje


Ar Jūsų įmonė renka ir tvarko fizinių asmenų asmens duomenis? 

Asmens duomenys gali būti:

  • Kliento, darbuotojo. paciento, kandidato į darbo vietą ir kt. 
    • Vardas ar asmens  numeris 
    • Kontaktinė informacija (el.pašto adresas, telefono numeris, adresas ir kt)
    • Banko sąskaitos  duomenys, atlyginimo dydis, paso duomenys ar bet kokia kita asmeninė informacija. 

Onko yrityksessäsi enemmän, kuin 250 työntekijää?

Kas teie ettevõte kogub ja töötleb isikuandmeid?

Kas teie ettevõte kogub ja töötleb füüsiliste isikutega seotud andmeid nagu näiteks:

Töötajate, klientide, tööle kandideerijate, patsientide:

  • Nimi, isikukood
  • E-posti aadress, telefoninumber, kodune aadress
  • Pangakontonumber, palgasumma, krediitkaardiandmed või mõnda muut tüüpi isiklikud andmed

Does your company collect any personal data?

Does your company collect and process any personal data of natural persons such as:

  • Employees, Customers, Job Applicants or Patients including:
    • Name or personal ID number
    • Contact details (Email address, Phone number, Address)
    • Bank details, Salary amounts, Passport details or any other personal data