GDPR: What US Companies Need to Know

Do you know whose data you have?

When the General Data Protection Regulation (GDPR) became law on May 25, 2018, it raised the bar on standards for data protection and security around the world. It also set off a massive ripple of global privacy laws that are changing business — and how we use the internet — forever. 

A common misconception by US companies is that the GDPR only applies to companies in Europe. If you’re a US company, GDPR directly applies to you today if you fall into one of these categories.

  • You have offices in the EU
  • You have offices in the US but customers around the world
  • You are a B2B company in the US that has EU clients

More specifically, if you collect or process the data of any EU citizens residing anywhere in the world, you need to pay attention to GDPR. 

GDPR caught a lot of US companies off guard. 42% of US sites are still blocking EU customers because they weren’t prepared to comply with GDPR. That’s a nice sized market share just waiting to be tapped by whoever gets there first. 

Why all US companies should pay attention to GDPR

Understand that the GDPR is currently setting the framework for a rash of privacy legislation that is sweeping the US and the globe. It’s raising service, transparency, and accountability to levels that previously didn’t exist. Consumers are aware of these laws which means consumer trust is becoming an essential feature of brand ethos.

The biggest mistake US companies can make is to think of data privacy law as something restricted to Europe. It’s already here. The sooner US companies get in front of the standards set by the GDPR, the easier it will be to comply with any other privacy laws that become relevant to a company’s jurisdiction.

Privacy laws are being enacted in the majority of the states. One of the strictest privacy laws to pass in the US so far is the California Consumer Privacy Act (CCPA), which went into effect on January 1, 2020. 

What does GDPR do?

GDPR gives ordinary people an unprecedented amount of control over the personal information organizations can collect, retain, and process. It grants individuals the privacy and security of their personal data as a fundamental human right. 

All organizations operating within or outside of the EU that deal with any data of EU citizens, directly or indirectly, must have a lawful basis for collecting and processing personal data. Along with this required legal basis comes the responsibility of keeping that data safe and responding to a consumer’s request to amend, delete, or obtain a copy of it.

What is personal information under the GDPR?

  • Names, addresses, phone numbers, ID numbers, bank details, etc.
  • IP addresses, cookies, tags, pixels, email addresses, user names, Instagram and Facebook posts, Tweets, stories, etc.
  • The following data has special rules and companies need to be very careful with it — Biometric data, health data — physical and mental, racial or ethnic data, political opinions, philosophical or religious beliefs religious, trade union membership, sex life and sexual orientation. Article 9(1) 

When is it legal to collect and process personal information under GDPR?

Before you can ask for and collect anyone’s personal data, you need to have a legal basis for its collection and use — the GDPR outlines six lawful bases for collecting and processing someone’s information:

  1. Consent: The user has given you explicit consent to process specific data for a particular reason.
  2. Contract: You need to collect and process data to carry out a contract you have with the user.
  3. Legal obligation: You need to collect and process data to comply with the law.
  4. Vital interests: You need to collect and process data to save someone’s life.
  5. Public task: You need to collect and process data to complete a job that is in the public interest, or part of your official functions as a public officer, and the job has a clear lawful basis.
  6. Legitimate interests: You need to collect and process data for your legitimate interests, or the legitimate interests of a third party — unless that interest is overridden by the fundamental rights and freedoms of the user granted by the GDPR.

For most US companies, consent, contract, and legitimate interest are the legal bases that are most applicable. ( Legal obligation, vital interest, and public task are designed to cover organizations engaged in public services and health.) 

Let’s discuss what consent, contract, and legitimate interest might mean to US companies so that you understand the extent to which you’ll need to redesign how you collect personal data, where you store it, and who you share it with, to comply with the GDPR.

What does consent mean under the GDPR?

Users can’t really give consent to something they don’t understand. The burden of making your intentions clear to your consumers in transparent and understandable language falls on you, the company, entirely. Not only do you have to be completely transparent with your consumer base, but you have to be able to prove to any privacy authorities that you have been. 

All communication with a user regarding their consent needs to be readable by the average person, not just lawyers. This does away with long illegible privacy policies full of legal and technical jargon. It requires companies to overhaul their privacy policies, terms and conditions, disclosures, opt-in boxes, and any other communication regarding a user’s data to comply with GDPR standards. 

What you need to do when you ask for consent

When you ask for consent, it needs to be informed consent. You have to explicitly layout in everyday language why you want a user’s information and what you intend to do with it. 

You also have to advise users of their right to opt-out, request deletion, correction, transfer, and copy their data. Whenever you request consent for a users information, you must include the following:

  • Who you are and your contact information
  • The contact of the Data Protection Officer (DPO), if you have one
  • The purpose for requesting the data
  • The legal basis for requesting the data
  • If the legal basis is legitimate interests pursued by you or by a third party, you have to say what those legitimate interests are
  • Identify who else will process data if there are any third parties involved

Two essential points about consent are:

Consent must be freely given:  You must be able to prove that consent was freely given. Your request for consent must be in clear and understandable language.  

Consent can’t be a precondition to using services: Consent must be separate from all other terms and conditions. This means that there is no longer a legitimate way to bundle a bunch of services and permissions together and simply provide an “I accept” checkbox. Nor can you use a pre-checked opt-in box or any other default method. 

Transparency in privacy policies and opt-ins under GDPR

The first step in transparent and informed consent is revising privacy notices, disclaimers, and cookie notices to include all of the information that the GDPR requires in simple, readable language. The GDPR wants you to inform users of the following:

  • What data do we collect? — Identify what data you collect. Name, email, phone, etc.
  • How do we collect your data? — Explain how data is collected. Forms, opt-ins, web browser, etc.
  • How do we use your data? — Explain exactly how the data will be used. Process an order, email list for additional services, etc.
  • How do we store your data? — Explain how data is stored, its location, and your security features. 
  • Marketing — What 3rd party companies you share data with, and the ability of users to opt-out!
  • What are your data protection rights? — You must inform users of their rights under GDPR:
      • The right to access – Users have the right to know what data you have
      • The right to rectification – Users can ask you to correct their data
      • The right to erasure – Users can ask you to completely erase their data
      • The right to restrict processing – Users can ask you to restrict data processing
      • The right to object to processing – Users have the right to stop you from processing their data altogether
      • The right to data portability – Users can ask you to send their data somewhere else
  • What are cookies? — Explain what cookies are. 
  • How do we use cookies? — Explain precisely how you use cookies. Keep you signed in, track your purchases, etc.
  • What types of cookies do we use? — You must explain every function used under your cookie policy. Functionality, advertising, etc.
  • How to manage your cookies — Give all users the ability to opt-out of any type of cookie functions. Explain how it might affect user experience on your site.
  • Privacy policies of other websites — Explain that your privacy policy doesn’t cover websites you hyperlink to.
  • Changes to our privacy policy Provide the latest date you updated your privacy policy. Explain how and when you update your privacy policy.
  • How to contact us — Provide, email, phone, and physical address.
  • How to contact the appropriate authorities — For the GDPR, this is the Information Commissioner’s Office (ICO). https://ico.org.uk/ But US companies should also include any other data privacy authorities that may cover their jurisdiction.

What revising your privacy policies means to your business processes

It stands to reason that before you revise your existing privacy notice to a privacy notice that outlines everything you promise to do, you need to have set up both the technical and business processes to be able to do what you say.

To anticipate the changes in purpose and legal basis that occur in data processing, you’ll need to walk through the timeline of all your business processes that involve the collection, processing, and retention of data — who has access to it and why. Then you can be clear about what needs to go into your privacy notices, terms and conditions, disclosures, opt-in boxes, etc.

Can I use legitimate interest as a lawful basis to collect and process data under GDPR?

Legitimate interest may sound ambiguous enough to slip in marketing or tracking cookies or pixels and justify it as a legitimate interest of your organization. However, remember the requirements above for consent? One of the requirements for obtaining consent is letting the user know precisely what your legitimate interest is if you plan on using legitimate interest as a legal basis for data collection. You need to do so in simple language and give them the right to object.

The bottom line here is that there is no sneaky way to get around being completely transparent and upfront with users about why you want their data from the very beginning. 

Can I use contract as a lawful basis to collect and process data under GDPR?

If you’re selling someone a product online, you’re going to need their credit card information. And if you’re delivering that product, you’ll need their address. So, you deliver the product and, for all means and purposes, no longer need their address to complete the contract. Do you have to delete it?

Maybe you need to keep a record of their address for your accounting procedures. And since you must engage in proper accounting to be able to enter into valid sales contracts in the first place, you could argue that keeping and processing the address is necessary under the same legal basis. 

What happens to data you’ve collected when you’re done with it is still your responsibility

Let’s say the bank processing your customer’s credit card information needs their address to process the payment and also needs to hold onto the address to comply with laws that require the bank to keep this information. Has the legal basis changed? Yes, and you need to be aware of this.

The bank is a processor that got the address from you, the controller. And the bank has to process the data under a legal obligation. So, the legal basis for the bank, the processor, for holding onto the address that they got from you, the controller, is no longer Article 6(1)(b) contract but is now Article 6(1)(c) legal obligation. You, as the controller, have to anticipate this from the onset.

You can’t respond to a user’s request about their data if you don’t know where it is

This example supports the need for US companies to walk through their business procedures involving data and look at them in a new light. To stay in compliance, as the company in the data controller role (you collected the information in the first place), you need to walk through your data supply chain so that you know where the data you collect is held, who is processing it, and why. 

You must be able to respond to users’ requests regarding their data, and you can only do that when you know where there data is. Only then can you make sure that you are in compliance. Most companies will have to make some changes to how they collect, store, and process data to be able to comply with the GDPR. They will also most likely have to amend their data governance plan and data governance team.  

Challenges for compliance with GDPR

One of the biggest challenges companies face becoming compliant with new data privacy regulations blazing around the globe is that much of the data collected, controlled, and processed today exists in unstructured storage, both on-site and in the cloud. That data is shared with 3rd party processors further complicates the issue.

Firms have to be able to locate and quantify the personal data stores they hold to minimize risk. You should only keep the data that is necessary for those business purposes that you can prove you have a valid legal basis for, as discussed above.

Penalties of non-compliance with GDPR

GDPR can impose some pretty hefty fines on data controllers and processors for non-compliance that can range from 10-20M Euros, or up to 4% of global annual revenue, whichever is higher. GDPR also establishes a private right of action for material or non-material damage caused by controllers or processors who violate the GDPR. 

For those of you who still think these fines won’t apply to you, know that the California Consumer Privacy Act (CCPA) fines are similar.

Other disadvantages of non-compliance with GDPR

Beyond penalties, the reasons for taking the GDPR seriously are that global consumers and B2B companies already expect you to. If you control or process data, your clients and business associates will be asking if you are GDPR compliant because they can get in trouble if you aren’t.

To put it bluntly, you could lose customers if you are not GDPR compliant. And you may lose trust. It’s harder to regain a customer’s trust than it is to get it in the first place. You want the PR for your brand to celebrate your accomplishments, rather than have to defend your misgivings.

The advantages of complying with GDPR

In the long run, taking your company to GDPR compliance level is going to give you a much better understanding of where all the data is in your company. It will also help you become more effective and efficient in your business decisions. Your company will be more prepared to handle any data breach incidents. And you’ll be that much more ahead of the game when local privacy laws in your geographic region of governance take effect.

The upside of being GDPR compliant is that it can give you an edge in your industry, especially if you can beat your competitors to compliance levels 

In today’s digital business climate, data privacy and security is a huge selling point for those leading the way. Consumer trust is a new realm of marketing that companies need to take seriously. Get a handle on your network infrastructure and business processes, and align yourself with compliant vendors and service providers. You’ll protect the market share you have now, and set yourself up to grow that share tomorrow. 

 

HIPAA Compliance Checklist for 2020

Check the pulse of your HIPAA program

Whether you’re just getting started creating a HIPAA compliance plan for your organization, or checking the pulse of your current HIPAA program, a road map is always helpful.

The HIPAA requirements are deliberately vague because they need to be flexible and scalable enough to apply to a broad range of health care companies and anyone those companies contract with. This HIPAA compliance checklist aims to do several things. 

  1. Introduce you to the language used in HIPAA so that you have a better grasp of the HIPAA Rules.
  2. Help you become more acquainted with the HIPAA rules and what they want you to do if you deal with Personal Health Information (PHI).
  3. Help you determine what areas your organization may need to focus on to become HIPAA compliant by providing a simplified checklist that can point your efforts in the right direction.
  4. Give you some additional tips on how to use the HIPAA Security Risk Assessment Tool to find weak areas in your HIPAA compliance program.

What is HIPAA trying to protect?

HIPAA wants to protect the security and privacy of patients’ Personal Health Information (PHI) that is used or shared in any form. When a patient’s Personal Health Information is in electronic form, it’s called ePHI. 

As most health information is digitally managed these days, the handling of ePHI is critical. HIPAA wants healthcare companies to completely protect any ePHI that’s collected, processed, transmitted, or stored, and make sure that patients can access it and amend if it is incorrect or has become corrupted due to identity theft or errors. 

This Compliance Checklist will walk you through the more critical aspects of the HIPAA so that you can determine what areas your organization needs to work on to get in HIPAA compliance.

What’s the difference between a Covered Entity and a Business Associate under HIPAA?

A Covered Entity (CE) is any health care provider, health plan, or health care clearinghouse that creates, maintains, stores, processes or transmits PHI or ePHI. Most health care organizations do business with 3rd parties that provide a service or perform a specific function or activity for a  company that may involve having access to ePHI. Under HIPAA, these 3rd parties are called Business Associates (BA). 

Before having access to ePHI, the Business Associate must sign a Business Associate Agreement (BAA) with the Covered Entity. While the ePHI is in the Business Associate’s possession, the Business Associate has the same HIPAA compliance obligations as a Covered Entity. 

Check the boxes of the statements you agree with:

□ We have identified all of our Business Associates (BA) and vendors.

□ We have Business Associate Agreements (BAAs) in place with all of our BAs.

□ We have satisfactorily assessed all of our BA’s HIPAA compliance levels.

□ We monitor and revise our BAAs annually, and anytime there is a change in services.

□ We have Confidentiality Agreements in place with non-BA vendors.

The HIPAA Privacy Rule 

The privacy rule provides the standards for people who are allowed to have access to PHI and governs the use and disclosure regulations of any PHI. If your organization has contact with PHI in any way, you have to develop privacy procedures and policies that adhere to the privacy rule and use authorizations as instructed by the HIPAA. 

Use and Disclosure of PHI

□ We acquire and hold HIPAA authorizations for any uses and disclosures of PHI, which aren’t otherwise permitted by the HIPAA Privacy Rule.

□ Our authorizations are written in every day simple language (no legalese) and clearly explain the precise uses and disclosures of PHI.

□ Our authorizations accurately describe to whom we will disclose PHI.

□ Our authorizations include an expiration date.

□ Our authorizations are signed and dated by the patient.

 

Individuals Access to PHI

□ We have procedures for providing patients with access to their health information.

□ At an individual’s request, we provide access to and copies of their PHI.

□ We provide copies of an individual’s PHI in the format of their request.

□ We respond to an individual’s request for copies of any PHI within 30 days.

□ Our fees charged for requested copies of PHI by an individual are cost-based.

 

Notice of Privacy Practices (NPP)

The Privacy Rule gives people the right to information about an organization’s privacy practices. The HIPAA refers to this as Notice of Privacy Practices (NPP). While Covered Entities can use templates for their Notice of Privacy Practices, the notices should be customized to your organization.

□ We have created and customized a Notice of Privacy Practices (NPP)

□ We have provided a copy of our NPP to all patients.

□ All patients have confirmed in writing that they’ve received a copy of our NPP.

□ We have posted an NPP in a visible and prominent location on our website.

□ We have posted an NPP poster in a visible and prominent location visible to patients in our facility. (If applicable.)

□ We have procedures in place and have trained staff for dealing with complaints and any failures on our part to comply with our NPP.

The HIPAA Security rule 

The Security Rule requires entities to evaluate risks and vulnerabilities and implement reasonable and appropriate security defences to protect against anticipated threats to the security and integrity of ePHI. There are three elements to the HIPAA Security Rule:

  • technical safeguards 
  • physical safeguards 
  • administrative safeguards

These are areas that you need to assess yourself with an understanding of what could go wrong in either the technical, physical, or administrative functions of your organization that could make ePHI vulnerable to a breach. You’re basically looking at your IT set up, your office set up, and your staff policies. 

HIPAA Technical Safeguards § 164.312

Technical Safeguards concern the technology used to both provide access to ePHI and protect it. The HIPAA won’t tell you how to prepare for compliance, but it will show you what outcome it expects. 

Access control

This section deals with who has authorization to access PHI. 

□ We have an identity management and access controls plan in place.

□ We assign unique IDs to all individuals authorized to access to ePHI.

□ We can confirm that access to ePHI is restricted to authorized individuals only for the purposes of their employment duties.  

□ We vet all employees before providing authorization to access ePHI and can confirm authorization is appropriate.

□ We have procedures in place to terminate an employee’s access to ePHI if their position changes or they leave our company.

□ We have procedures in place to recover all devices and media holding ePHI if an employee’s position changes or they leave our company.

 

Audit logs  

Track all users who access ePHI on your systems and monitor all activities and systems involving ePHI at all times.

□ All of our uses and disclosures of PHI/ePHI are limited to the minimum amount of PHI necessary for the purpose the PHI/ePHI is disclosed. 

□ Our systems are set to log out any user after a period of inactivity automatically.

□ We have created ePHI access logs and monitor them consistently.

□ We have created ePHI access logs that track successful and unsuccessful login attempts. 

□ ePHI access logs are monitored consistently for unauthorized access to ePHI.

 

Integrity 

Protect ePHI from being destroyed or altered in any way and be able to tell if it has.

□ We have controls in place to protect ePHI from being altered or destroyed unless authorized.

 

Transmission Security 

Make sure all ePHI – whether at rest or in transit – is encrypted to NIST standards once it moves outside your organization’s internal firewalled servers — so that patient data is unreadable, undecipherable, and unusable by any unauthorized employees or 3rd party contractors. Prevent unauthorized access to ePHI over any network communications such as public wifi.

□ We have assessed whether encryption of ePHI is necessary.

□ If encryption of ePHI is unnecessary, we have instead employed alternative and equally effective means to secure the integrity, confidentiality, and availability of all ePHI.

□ We have controls in place during electronic transmission to safeguard against any unauthorized access of ePHI.

□ We have documented our decisions regarding encryption and electronic transmission safeguards.

 

HIPAA Physical Safeguards § 164.310

Physical standards are designed to protect storage media and the physical places where ePHI is held in an organization

□ We have procedures in place for the secure disposal of ePHI and PHI.

□ We have procedures in place to make physical PHI forever unreadable upon disposal.

□ We have procedures in place to permanently delete all ePHI stored on devices being prepared for disposal.

□ All devices that hold ePHI and PHI are secure at all times.

 

HIPAA Administrative Safeguards § 164.308

This section deals with your staff, employees, and any workforce member that comes into contact with ePHI, whether from your office or a 3rd party contractor. It also requires you to designate a Security Officer.

Assigned security responsibility 

You need to designate a security official who will conduct risk analyses, monitor audit logs, train the workforce, manage security incidents, and update policies and procedures.

□ We have a designated HIPAA Security Officer.

 

Security awareness and training

Have a required security awareness training program for all employees.

□ All employees attend annual HIPAA training.

□ We keep documentation to substantiate that all employees attend annual HIPAA training.

□ All staff has received Security Awareness training.

□ We keep documentation to substantiate that all employees have received Security Awareness training.

□ We provide staff with periodic updates to reinforce Security Awareness training.

 

Contingency plan 

These are guidelines for emergencies.

□ We have a contingency plan set up for emergencies.

□ We have developed procedures for responding to emergency situations.

□ We keep an updated exact copy backup to recover all ePHI in the event of a disaster.

□ We have procedures in place in the event of operating in emergency mode to ensure that all critical business processes function.

□ Our contingency plans are updated and tested at regular intervals.

 

Security incident procedure

Security incidents require a response and reporting whether or not there is a data breach. You need to set up a system to audit and track any security events.

□ We have procedures in place for any security incidents and data breaches.

□ We have the capability to conduct and record investigations of all security incidents.

□ We are able to report all breaches or incidents.

□ Our employees can anonymously report any privacy or security incident and any potential HIPAA violation.

 

HIPAA Breach Notification Rule 

The breach notification rule applies to unsecured ePHI, which is not encrypted and not destroyed, rendering it usable and readable. (The HHS states that encryption and destruction are the only two methods that will render ePHI unusable unreadable, and undecipherable.)

□ We have policies and procedures in place under HIPAA Privacy, Security, and Breach Notification Rules.

□ All employees have read and legally attested to the HIPAA policies and procedures.

□ We have documentation of all employees’ written legal confirmation of the HIPAA policies and procedures.

□ We keep documentation for our annual reviews of our policies and procedures.

 

Audits

Covered Entities and Business Associates must conduct their own periodical audits. There are six required annual self-audits for businesses. There are five required annual self-audits for Business Associates. 

These audits are entirely self-conducted by Covered Entities and Business Associates. Only the Security Risk Assessment (SRA) has any guidelines in the form of an available tool on the HHS site. All other audits are up to you. Links are provided to the relevant rules for your reference.

□ We have completed the six annual audits required by the HIPAA compliance program. 

Security Risk Assessment (SRA)

□ Security Standards Audit — Self-audit against the HIPAA Security Rule.

□ Asset and Device Audit — List all devices that hold ePHI and who uses them.

Physical Site Audit

HITECH Subtitle D Audit

□ Privacy Assessment (Not required for BAs) — Self-audit against the HIPAA Privacy Rule.

□ We have proof that we have conducted the six annual audits and assessments for the past six years.

□ We have identified any and all gaps revealed in the self-audits.

□ We have documented all areas with deficiencies or gaps.

□ We have created a remediation plan to correct any and all deficiencies or gaps found in the audits and risk assessments.

□ Our remediation plans are fully documented in writing.

□ We review and update our remediation plans annually.

□ We keep copies of our yearly remediation plan for six years.

What is a HIPAA Risk Assessment? 

A risk analysis can help you establish the safeguards you need at your organization to protect patient data and comply with the HIPAA. This will allow you to identify risk and develop and put in place administrative safeguards and protections such as office rules and procedures that keep ePHI secure under the HIPAA Security Rule. 

The US Department of Health & Human Services (HHS) offers guidance on risk self-assessment on its website as well as a Security Risk Assessment (SRA) Tool that you can download to guide you through the risk assessment process. 

The SRA Tool walks you through potential threats and vulnerabilities and gives recommendations based on standards identified in the HIPAA Security Rule. Keep in mind that the SRA Tool only provides scoring in terms of risk, not compliance. Also, the SRA Tool is only available for Windows. (There’s an older version of the HHS SRA Tool for iPad in the App Store.) 

How does a HIPAA Risk Assessment work?

A HIPAA Risk Assessment helps you identify any potential risks to the PHI that your company holds, transmits, creates, or receives from another party. It walks you through the required actions that you must be able to perform to be in compliance. It also helps you identify areas or gaps in security that you need to upgrade. The risk assessment for ePHI wants you to focus on several areas:

  • Storage, processing, and transmission
  • Potential threats and vulnerabilities
  • Current security measures
  • Proper use of security measures

It then asks you to make determinations based upon your assessment:

  • What’s the likelihood of a reasonably anticipated threat?
  • What’s the potential impact of a data breach involving ePHI?
  • What are the risk levels for vulnerability and impact?
  • What actions can be taken to improve the security features to mitigate any threats, breaches, or vulnerabilities?

HIPAA recommends that you perform risk assessments annually and anytime you implement new work procedures, update systems, or redesign programs.

Disclaimer:  This checklist is merely a guide to direct you toward what you may need to work on to achieve HIPAA compliance. Completing this checklist does not in any way mean you are HIPAA compliant, nor does it give legal advice. Consult a HIPAA compliance professional to ensure your organization achieves and retains HIPAA compliance.