event marketing cloud blog
The Privacy Journey: De-Mystifying GDPR, An Overview for HCP Reporting Organizations
By Debra Chong, Esq. – Co-Founder and CEO, Lenos Software
March 2018
HCP and GDPR Intersect
HCP compliance requires the collection and reporting of data related to spend on health care professionals (“HCPs”). Requirements vary by countries and states in terms of what data is to be collected and reported and how the data is aggregated for reporting. The purpose of HCP reporting is financial transparency of spend by various health and pharmaceutical organizations on HCPs.
HCP reporting requirements specifically address spend and transparency; however, the EU’s GDPR (General Data Protection Regulation) directly protects the privacy of individuals, the collection of personally identifiable information (PII) and the management of this data, and provides rights as to the use and management of data, regardless of whether the information is collected for personal or business purposes.
Simply stated, GDPR prescribes standards and duties of care for the collection and management of PII for EU citizens. Compliance in any arena is a challenge, but meeting this challenge is an opportunity for you and your organization to further engender trust with your audience.
HCP Data Collection Includes Personally Identifiable Information Subject to GDPR
To provide for data integrity, and accuracy of the data collected for HCP reporting, PII is also collected from HCPs. PII is any data that is identifiable to a specific individual. Some of the most obvious PII is First Name, Last Name, Addresses, Medical Specialty/Specialties, Medical School, Year of Graduation from Medical School, National Provider Identifier, Board Certification(s), etc.). However, data is also collected from these individuals for the purposes of taxation, fulfillment and other purposes. PII collected from EU citizens is PII is to be collected and managed according to GDPR’s requirements.
GDPR also applies to many health care professionals in the United States, a large percentage of these health care professionals are European citizens, and have hold citizenship or are permanent/temporary residents in the United States (according to Center for Health Workforce Studies at the University of Washington, 12.5 percent of health care professionals are naturalized US citizens and 10.8% are non-US citizens who were born in Europe) (January 2017). Even if these HCPs are naturalized US citizens, it is likely that they also still hold citizenship from an EU country as most European Union countries provide for dual citizenship.
Should there be different data privacy requirements for EU Citizens and non-EU Citizens?
The simple answer is NO. Why? Trust is the paramount to all data collection and trust is an asset. The best approach is to adapt all data collection processes to match GDPR requirements, as it will mean that your organization is more likely to comply with all privacy requirements and ensure that the data collected will be of the highest quality.
While there are some approaches for compliance that include reading an individual’s IP address to determine whether they are accessing a website and providing data from a location in the EU, this method does not consider whether the person is an EU citizen or not. This approach only indicates whether an individual is accessing the Internet from an EU located Internet provider. Even more importantly, through the commonly accepted use of Virtual Private Networks, Internet traffic for an individual can be routed through any network they select located throughout the world regardless of their actual physical location.
Another approach that some have proposed, is to have different privacy and data collection practices for EU and non-EU citizens. This approach is not recommended as it states to an audience that privacy rights are only recognized for a select group of individuals, and not all individuals that your organization is transacting business. Separate is not equal in any situation.
As trust is the new currency and an organization’s brand is paramount, protect and promote brand equity by adopting privacy standards that engender trust in your audience. Nothing is more important than trust.
What does this mean for organizations that collect PII in their normal course of business, including HCP reporting?
Even before the adoption of GDPR, a best practice of data collection is the posting of the organization’s Privacy Policy/Statement when collecting data to inform individuals providing the reasons for collecting the information, the purpose for which the information is to be used and the time frame for retention of the data. Under GDPR, consent to collection of PII must be “freely given, specific, informed and unambiguous indication” ... “by statement or by a clear affirmative action”.
  • Only your organization’s Privacy Statement should be posted for consent in the collection of data.
    If another organization’s privacy statement is posted other than your organization’s Privacy Policy, this means that organization has acquired rights to your data, etc. Even though it may be specified in an agreement (such as a licensing agreement) that your organization has ownership rights to the data and the data should be kept private, the posted privacy policy will determine who the data belongs to and how it may be used.
  • Obtain affirmative consent when collecting data.
    This means that the individual has provided an informed and affirmative consent and not just by clicking through and completing a form, having a pop-up window display the privacy statement or the downloading of a privacy policy on the site where the data is collected, etc. An automatic pre-filled “opt-in” question is another example of the lack of affirmative consent.
    Your organization should display its complete privacy statement in the collection of any data from an individual and data should not be collected if the individual does not clearly and affirmatively agree/accept the policy.
  • Cookies and other similar mechanisms to track individual behavior, as well as re-targeting or re-marketing should only be used when an individual provides an informed and affirmative consent to their use.
    It has been common practice for some web properties to drop cookies or utilize tracking mechanisms on visitors to their site, or technology providers to drop cookies and utilize tracking mechanisms to track behavior of their client’s customers, etc. and in some cases, sell the data-to-data marts. Under GDPR, any use of cookies, tracking mechanisms or any other means of tracking of individuals must be by informed and affirmative consent.
    Re-targeting, or the practice of following an individual all over the Web and displaying ads, whether it is to display an ad for the web property/supplier or your organization, needs to be affirmatively consented to under GDPR.
    How is re-marketing different than re-targeting?
    The primary difference is that re-marketing uses e-mail. However, some analysts consider them the same.
    If you visit a web property that displays a consent agreeing to the use of more than a few cookies, or 20+ cookies from the site and 100+ cookies from third-parties, and affirmative consent is provided, is it informed? Can you understand what each of these cookies do?
  • Cookies should be used to provide for security in accessing data during a browser session and not for creating individual or organizational profiles.
    The most common analytics provided by cookies are traffic, demographics, audience, engagement, political interests, segmentation, etc. What does this really mean? Cookies intrude on an individual’s privacy. Even better, in some cases, data from cookies is immediately shared and/or sold to data marts to combine it with other data sources to gain a deeper profile, which in some cases adversely affect the individual regarding credit, employment, etc.
    In general, cookies can track these behaviors:
    Traffic - Provides a view of the audience by platform (Web/Mobile), country, time period, etc.
    Demographics – Age, gender, family, location, income, education, occupation and income
    Audience – Purchases, brand preference, vehicles driven, what is watched, etc., may be combined with data from credit reporting agencies, credit card companies, streaming video companies, etc.
    Engagement – Passing by, regular visitor or frequent visitor, etc.
    Political Interests – Party affiliation, etc.
    Segmentation – Identify what parts of a website, authors and articles you like, etc.
  • Data from cookies can create a security risk for your organization.
    The behavior and data based on individual data from cookies, and aggregate data from individuals from the same organization, can create a security risk for an organization, or compromise highly confidential data regarding the organization. This data can be purchased and revealed in real-time to those with interests adverse to you or your organization. Whether it is individual or aggregate data, the data tells a story.
How should an organization comply with GDPR?
  • Beware of certifications, certifications have never satisfied a regulatory body, when they are reviewing compliance. Certifications can also be misleading. The organization issuing the certification should not have a “pay to play” or self-certification process for it to have any degree of validity. What are the requirements for certification and how is compliance with these requirements validated?
  • The key to compliance is the level of commitment that you and your organization undertake and the ability to demonstrate the steps that have been taken to comply. Automation will assist in reducing any potential for human error, as well as standard operating procedures regarding the collection of data. Training and internal controls, as well as auditing are areas that should be considered in created standard operating procedures.
    1. Ensure that privacy policies properly disclose what data is being collected, how the data may be used, term of use for the data, the ability to update/edit the data and request that the data be erased/deleted
    2. Review privacy policies to ensure that they are appropriate for the collection of data; one size does not fit all
    3. Retain privacy policies and consents
    4. Ensure that privacy policies are properly displayed and affirmatively consented to before collecting data
    5. Only use cookies or other tracking mechanisms when they are properly disclosed and affirmatively consented to in their use
    6. Consider only using cookies to access session data, verification of the individual to access their data
    7. Provide automated mechanisms for updating of data and withdrawal of consents and tracking the actions taken.