EU General Data Protection Regulation (GDPR) Stringent data security requirements
The EU-wide General Data Protection Regulation, which comes into force on May 25, 2018, imposes much more stringent requirements on all organizations which collect personal data. There are severe penalties for non-compliance. Dr. Michael Foth, Managing Director of IBS data protection services and consulting GmbH in Hamburg, Germany, explains what the new regulation means for medical supply retailers.
Medical supply retailers need a whole host of data in order to supply their customers – e.g. address, age, gender, social security details, and health information. “Under the new General Data Protection Regulation, medical supply retailers will have to inform individuals about the data they are collecting,” explains data protection expert Dr. Michael Foth. “This obligation for transparency covers the purpose for which the data is collected and stored, as well as the issue of whether the data is being collected on a statutory basis or on the basis of a sales contract.” It must also be made transparent when the data will be deleted and who it will be forwarded to – whether this means the health insurance company, physician, care or nursing staff, or the manufacturer of orthopedic products.
Providing customers with sufficient information
“Medical supply retailers must also inform individuals about their right to obtain information about their stored data at any time. Moreover, medical retailers must advise customers that they have the right to lodge a complaint with a supervisory authority for data protection if they suspect an infringement of the regulation,” Dr. Michael Foth continues. “All of these details, compiled in the form of an information sheet , should be a component of the standard sales contract with a customer. This can then be produced by the medical retailer if necessary as evidence of his compliance with the duty of information.”
In accordance with the data minimization principle, only the data required for the purpose for which it is being processed may be collected. Under the terms relating to the principle of purpose, the data may only be used for the specified purpose and it must be deleted when it is no longer required for that purpose.
“Aside from normal health data, the General Data Protection Regulation now explicitly refers to biometric and genetic data, and attaches strict conditions to the processing of such data,” Dr. Michael Foth says. “Data of this kind, which is also collected by the Bodytronic 600 measurement system , must be protected in the systems against unauthorized access. This data must also only be stored for the length of time necessary for the purpose.” Bauerfeind already has many measures in place to protect customer data from unauthorized access. Measurement data is only ever transmitted over a secure connection and in an encrypted form. Moreover, an update for the measurement technology software is scheduled for early 2018, which will help with data minimization and simplify access to the information on data processing. Bauerfeind is therefore providing effective support for medical retailers, helping them to comply with the requirements of the General Data Protection Regulation.
Medical retailers in Germany can visit www.bauerfeind.de to obtain an information sheet about data protection for personal data for use in their business.
Image: Oliver Reetz