How to adapt your patient data processing in light of the GDPR
Skip to Content

How to adapt your patient data processing in light of the GDPR

Ensuring patient data is kept private and confidential is fundamental to the doctor-patient relationship. If a medical facility loses patient data—it is leaked online or stored in an insecure manner—surgeries, public and private healthcare providers and research scientists can face huge fines. Just this year, the Information Commissioner’s Office (ICO) fined a UK private health firm £200,000 after IVF patients’ confidential conversations with doctors were made freely available on the web.

By this time next year, the fines for such a mistake will be much greater. The EU’s General Data Protection Regulation (GDPR) will be coming into force by mid-May 2018, with fines as high as €20 million or 4% of annual turnover (whichever is greater). The new laws will replace the UK’s current approach to data security regulations and will require anyone who processes patient data to conform to much more stringent standards of data protection.

So, how will the GDPR affect how you process patient data, and what can you do to prepare?

The GDPR’s impact on patient data management

The GDPR will have a huge impact on almost every sector that processes the data of EU citizens, changing how they collect and store data, and what they can do with it. However, focusing specifically on healthcare data protection, the GDPR will introduce certain additional measures. Health sector organisations we expect to be directly affected by the GDPR include:

  • Public sector healthcare
  • Private healthcare
  • Cosmetic surgery providers
  • Technology companies providing health and fitness apps
  • Any online medical profiling services
  • Pharmaceutical companies
  • Any patient health researchers

How the GDPR will affect healthcare organisations

Let’s look at how the new regulation will affect the healthcare industry’s data treatment practices.

  • You will almost certainly be affected

If you hold any data whatsoever on EU citizens, you will be affected—that includes patient data, but also includes information on staff and contract workers. Also, if you offer goods or services in the EU, the rules will also affect you.

  • You will have to gain explicit consent whenever you collect patient data

While most medical professionals explicitly ask for consent from patients about the data they collect, these practices may need to be reviewed, and often in areas that you may not be fully aware of. For instance, do you have online forms where people can request more information about your services? You’ll almost certainly have to provide more information about what you do with the data entered into such online forms and gain explicit consent from the people who use them.

  • You must allow patients to remove all data you hold on them

The GDPR will allow members of the public to request that you collect all the data you hold on them and delete it—the so-called ‘right to be forgotten’. This will mean that you will need to be able to put into motion a search across your systems and remove all patient data as requested.

  • Protection by design

Healthcare providers must make additional efforts to protect how data is stored on their systems. The way many healthcare organisations manage patient data today just isn’t up to scratch—as highlighted by the IVF clinic mentioned above. All organisations that process patient data will be obliged to review and update how they manage these details.

  • Scientific research

The GDPR does permit medical research using existing patient data, yet its definitions of exactly what scientific research counts as is a little unclear. In any case, medical research using patient data will need to be shown to have taken adequate steps to anonymise the data—pseudonymising the data is a good start.

  • Reporting data breaches

The GDPR insists that any organisation must report a data breach to the authorities, in the case that could result in some form of risk to individuals, the affected individuals should also be notified. Given that a breach of patient data records could be enormously damaging to an individual’s reputation and even lead to them being blackmailed, the chances of a private patient data leak being risky are very high.

Healthcare and the GDPR

The GDPR is a welcome move, and will ensure patients, doctors and researchers can all have a clearer idea of where data is stored, who it belongs to and what is being done with it. The GDPR will help healthcare organisations by removing many of the grey areas that have led to breaches in the past, and will ensure that patient data is more likely to be managed successfully.

To ensure your organisation is compliant with the GDPR, it is highly recommended you carry out a GDPR compliance assessment before the law comes into effect. At bluesource, we have developed a sophisticated and flexible framework for understanding how data is being stored in your organisation and can help you develop a roadmap towards GDPR compliance (learn more here).


To discuss the GDPR and the way it affects how you manage patient data, contact one of our expert consultants today.