7 Ways GDPR and HIPAA are being confused
I hate to break it to you, but data security compliance is getting harder!
With the European Union’s new General Data Protection Regulations (GDPR) enacted on the 25th of May, many businesses—including healthcare offices—around the Philadelphia metro have been asking about clarification on (1) if GDPR affects them at all, (2) if HIPAA compliance is good enough to comply with GDPR and (3) how to make sure they are keeping data secure to both stay HIPAA and GDPR compliant.
More data security compliance with GDPR and growing HIPAA compliance pressures. What is your business to do? No regulation is quite the same, making data security even more confusing now than ever.
First off, what exactly is GDPR?
With concerns of data exposure and breaches hurting European citizens, on May 25th, the EU decided to enact the General Data Protection Regulation, which to date is the most broad-reaching data protection legislation ever enacted globally.
In brief, GDPR expands personal data breaches to any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or processed.
Instead of focusing on one type of data, GDPR extends protection to “personal data”—which is much broader in scope. Data protected by GDPR legislation applies to all personal data storage and processing, which will likely put companies that leverage individually identifiable information—essentially any information that can single an individual out—will be responsible for keeping data safe (and comply to individual’s requests to remove their information permanently from their databases and datasets.
GDPR also applies to any organization that has control or ownership of data or processes any data for citizens of EU member states regardless of where the organization is based.
This means that even if you are a Philly-based business and are working with individuals with EU citizenship, the European Union will hold you responsible for protecting and curating that data. Yu will need to not only protect this personal data like other personal health information (PHI), but make sure in the event an individual wants their information removed, that it is actually taken out of your systems.
Today, I want to outline the 7 biggest ways GDPR and HIPAA compliance are NOT the same and get you to start reconsidering how you view your office’s data security.
In contrast, GDPR defines responsible parties as controllers (companies that own or possess individual data, such as employers, marketing, social media, healthcare companies, etc.) and processors (companies that manipulate individual data, such as analytics companies, data storage companies, or any organization tasked to process personal information on behalf of a controller).
Bottom line: if your business owns any personal information, you are accountable to that data through GDPR, HIPAA compliance only holds those that possess PHI accountable.
If you’ve experienced a data breach through GDPR, on the other hand, you have 72 hours to report your breach once the breach was discovered. You must record any data breach (does not limit to a certain sized breach).
GDPR underscores that individuals have rights to have their data deleted upon their request.
Note: if you have any questions or concerns with your data protection, consider a free network security assessment.
Again, if you are concerned you are not taking necessary steps to protect your data, consider a FREE network security assessment.
Take Home: Data security and protection is hard. With growing data security concerns and growing regulations to protect personal information, is your business doing its due diligence to keep data secure?
Contact us TODAY for a free network security assessment!