GDPR: WHAT IS IMPORTANT TO KNOW
By 25 May 2018 we must all comply with the new European Regulation on the Processing of Personal Data (GDPR). The topic is of great interest, so we will try to take stock of the situation focusing on the fundamental aspects, thanks also to the advice of specialized law firms that follow us.
Does the new GDPR also affect medical and dental practice?
The answer is Yes. The dental practice holds personal data of patients and information that detects their state of health, therefore it is required to treat and keep them in compliance with the regulation.
The second question is: do we have to worry?
The answer is No. It is necessary to be informed and carry out measures in order to protect personal data, their processing and conservation.
The aim of the new regulation is to verify that the processing of data has a lawful purpose, that it is carried out in a secure way and that people are well informed.
To ensure this, the legislator has introduced new rights for the person concerned (the patient):
Right to be forgotten:
The patient may request to delete or obscure data concerning him. In the health sector it is necessary to keep some data for a certain number of years for medical / legal issues. Therefore, in this case it is preferable to obscure data instead of deleting it.
Right to data portability:
The patient may request, and must be able to obtain, a copy of his data in an interchangeable electronic format, for example ‘XML’ format.
Right to know where our data is processed:
The law on Privacy provides that data should be protected from unauthorized access and that all necessary actions are taken to guarantee security and integrity, such as the obligation to make periodic backup copies.
The new GDPR introduces the concept of Privacy by Design, a new key element in the Regulation of personal data protection, which provides that IT solutions used for data processing are designed and developed with the aim of protecting the privacy of people.
We don’t want to deal with technical issues but we must necessarily mention some essential requirements:
– The access to software that process data must be regulated by a credential system. Each operator must have its own ID and password that determines which data he may have access to according to his role.
– It will be necessary to demonstrate you have an active data backup process that prevents accidental loss. To verify the effectiveness of the backup system, it will be necessary to perform data recovery tests.
– Software must provide data protection tools to prevent fraudulent access and privacy violations: for example, encryption allows transformation of data through a specific algorithm, making it readable only through a specific decryption process.
If patients’ data is provided to third parties (as in the case of the dental laboratory), it is possible to undertake two ways in order to fulfill the new regulation:
-The Pseudonymisation of data: you can use a random code instead of data that can lead to patient identification.
– Designating the laboratory to be responsible for the processing of the data and requesting him the fulfillment of the obligations expected by the GDPR.
The result of all the actions and tests listed above will then merge into the ‘Treatment Log’.
But who is required to ensure all these aspects?
The answer is ‘the Data Controller’, who is usually the professional or legal representative of the company.
This information must be provided on the consent to the processing of personal data that the patient must sign necessarily before starting any type of treatment.
The Data Controller is always the first responsible to third parties. Therefore, it is not expected that he can exonerate himself through external “assignments” on technical issues, on which it is necessary to pay close attention to avoid future problems related to the loss of data or the difficulty of controlling the process of treatment.
Once appropriate security measures have been established, the GDPR asks also to assess in advance what may be the risks for the privacy of people and what are the measures to deal with them, the so-called ‘impact assessment’.
All these functions are largely included in OrisDent evo, but will be further implemented and harmonized in the coming months, in the light of the measures for adjustment of the legislation determined by the GDPR.
For the moment we can assure you that OrisLine Group is dedicating, as always, particular attention to Data Protection and, from the date of entry into force of GDPR, our products and services will continue to provide the appropriate tools to help you fulfill what is required by the new regulation. It will be our responsibility to provide you with the necessary documentation for the requirements that involve the management software.
Click here to go on the official portal of GDPR.