On May 25, 2018, the General Data Protection Regulation (GDPR) takes effect in the European Union (EU). This new landmark privacy law expands the privacy rights of EU individuals and places new obligations on all organizations that market, track, or handle EU personal data.
GDPR will strengthen the protection of personal data in light of rapid technological developments, increased globalization, and more complex international flows of personal data. It updates and replaces the patchwork of national data protection laws currently in place with a single set of rules, directly enforceable in each EU member state.
In addition, GDPR regulates the “processing” of data for EU individuals, which includes collection, storage, transfer, or use. HIMSS members across the globe should be aware that any organization that processes personal data of EU individuals is within the scope of the law, regardless of whether the organization has a physical presence in the EU. Under GDPR, the concept of “personal data” is very broad and covers any information relating to an identified or identifiable individual (also called a “data subject”).
GDPR changes privacy law by expanding data privacy rights for EU individuals, data breach notification, and added security requirements for organizations, as well as customer profiling and monitoring requirements. GDPR also includes binding corporate rules for organizations to legalize transfers of personal data outside the EU, and a 4% global revenue fine for organizations that fail to adhere to the GDPR compliance obligations.