As healthcare manufacturers and service providers, we are no strangers to new regulations that affect our marketing efforts. For healthcare companies that sell and market their products in the European Union, the new General Data Privacy Regulations (GDPR) are on the horizon and take effect in May of 2018.
What is GDPR?
GDPR is the General Data Privacy Regulation. It is a new mandate with the goal of giving individuals better control over their personal data. Personal data includes private, personal, or work, there is no distinction. Data types include:
- Name, email, ID numbers, physical address
- Online identifiers like IP address, cookies
Who is affected by GDPR?
Any company that collects or owns personal data from members of the European Union should be preparing for the GDPR regulation.
While the current EU legislation (the 1995 EU Data Protection Directive) governs entities within the EU, the territorial scope of the GDPR is far wider in that it will also apply to non-EU businesses who a) market their products to people in the EU or who b) monitor the behavior of people in the EU. In other words, even if you’re based outside of the EU but you control or process the data of EU citizens, the GDPR will apply to you. (Source: Hubspot)
Key Rules and Requirements of GDPR
There are 4 key rules and requirements under GDPR:
1. Notice and Consent -
- Before acquiring the personal data of an individual, you must be clear on why your company is acquiring their personal data.
- Your company must make the user aware of how long you will hold their information and if they have the ability to delete and/or modify it.
- You must receive consent to collect the individual’s personal data and be able to track when you acquired it.
- You must give the individual an option to opt out or withdraw consent.
2. Access and Modification -
- At any point, an individual can request the personal data from your organization and should be able to access it, modify it, and/or delete it.
3. Deletion and limits on retention -
- You cannot keep an individual’s personal data forever.
- Develop a protocol for retention and deletion of personal data.
4. Security data breaches -
- You must implement appropriate security measures to ensure your database and the data you collected from individuals is protected.
- GDPR requires a 72-hour data breach notification, should any breaks occur.
How should Healthcare Marketers prepare for GDPR; Questions to ask?
To ensure your organization is ready for GDPR this May, here is a list of questions you should ask to help you get started:
- What personal data does your company currently have and where?
- How can you improve on Notice and Consent? Examine where you are capturing data and how you are informing users how their data will be used or shared.
- Where do you store data? Evaluate your database. Who do you share this information with? Do you have a clear process for managing this data? Do you have appropriate security measures to protect it?
- What is your retention policy? When does your organization no longer have an appropriate lawful business case for holding personal data? What is the process to manage this?
The time is now to take action to ensure your organization is prepared for the May 2018 deadline.
KBK Communications is committed to providing relevant education to digital marketers in healthcare manufacturing, distribution, and service. To receive digital marketing updates, we invite you to subscribe to our blog.
Agency Note: This is intended strictly as information only and in no way constitutes legal advice or counsel. KBK Communications disavowes any legal responsibility for the content supplied by the referenced sources.