GDPR, One Year On: Implications for the Healthcare Industry

Editor’s Note: How personal data is handled, and how individuals can better control its use, have become increasingly important topics in a wide variety of industries. It is hard to imagine any industry where personal data are more sensitive than Healthcare. The introduction of GDPR last year has contributed greatly towards raising the visibility of data privacy, not only in the EU, but around the world. Here, Matteo Cappai and Whitney Wells of Ipsos discuss the implications of GDPR for Healthcare, one year on.

---

Imagine that you have a family history of heart attacks. They’re preventable but hard to predict. In the future, your doctor’s Artificial Intelligence (AI) could do predicting with access to your integrated care records. The AI would see increased blood pressure via your wearable, notice your ‘smart pill’ wasn’t ingested, and link to recent scans. The AI would passively track; when the time came, it would alert your doctor, who would book you in for preventative surgery. 

Would you want this future? We would sign our families up in a heartbeat- pun intended.

Now imagine a more domestic future. You have installed your first smart fridge. It has great features, re-ordering when you run out, sharing consumption with your doctor’s AI for care tailored around your diet. You love the benefits until you receive a letter that you were taken off the liver transplant list; your doctor’s AI flagged your alcohol consumption. Your daughter’s expensive insulin pump was confiscated because of the sweets your fridge ‘tattled’ about.

Would you still want this future…?

While these thought experiments may seem extreme, they are in fact already being discussed. Electronic Health Records (EHRs) are being linked together with Blockchain by companies such as Hu-manity, Embleema, and Betterpath. Doctors are reviewing data from wearables, and medication is available in Smart Pills like Abilify MyCite. 

What Does This Have To Do With GDPR?

As we head towards greater integration of our data, it becomes increasingly important for patients to have greater control over their data, greater ability to determine how their data are being shared, and a clearer understanding of how they will benefit. GDPR is a key element of this.

Now that we are one year on from GDPR, what changes have we seen since its passage? Based on recent research conducted by Ipsos and other organizations, we can see some emerging trends.

We Are More Aware of Our Data Rights in General

While many of us may still be unable to name all the different platforms and companies that use our personal data, March 2019 statistics from the EU Commission show that the public has become increasingly aware of our data rights in the year since GDPR was introduced. Their data show that 67% of European citizens are aware of GDPR and, in the UK alone, this percentage climbs to 71%.

It would appear that individuals are not only becoming more aware of the legislative framework but also of their rights, and therefore how to exercise those rights. A May 2019 infographic from the European Data Protection Board shows that EU Data Protection Authorities (DPAs) have received a total of 144,376 complaints or requests for more information about GDPR since May 2018. At the same time, companies have reported 89,271 data breaches to data authorities since May 2018. 

Of course, this was one of the main aims of GDPR: to give individuals more rights and control over their personal data. Clearly, individuals are starting to benefit from the new legislation, exercising their data subject rights and holding companies accountable for the personal data in their hands.

We Have Preferences About Who We Trust With Our Data and for Which Purpose

According to a global study conducted by Ipsos and the World Economic Forum at the beginning of this year (Global Citizens and Data Privacy), 1 in 2 consumers across the markets surveyed would agree to allow companies to use the personal data they collect if they themselves were paid or rewarded. In a more recent Ipsos study focused on the UK (GDPR One Year On), we found that almost five in ten (47%) adults in the UK agree that they trust companies who let them control who their personal data are shared with. This increased to 6 in 10 among those aged between 16-24. 

Companies that have been embracing the principles of privacy by design and by default, as ushered in by GDPR, are equipped to mitigate the risks considered high level by the public. By using simple techniques such as anonymization, pseudonymization, and encryption, companies can greatly reduce the risk of data breaches and be recognized as trustworthy by the public. For example, a study conducted by Asthma UK in early 2018 – Data sharing and technology – reported that:  

• ‘88% of people with asthma in England would be willing for their confidential health data to be used for service improvement’
• ‘94% of people with asthma in the UK would be willing for their anonymized health data to be shared with an analytics company to develop a tool to target people particularly at risk of an asthma attack.’

We Are Seeing New Legislation Beyond GPDR

2018 saw GDPR steal the scene as the main new character of the data protection world, but it wasn’t alone. There are other data protection bills that have either been proposed in 2018, amended or approved – for example, India’s Personal Data Protection Bill and Canada’s PIPEDA, with Brazil’s General Data Protection Law and California’s Consumer Privacy Act both coming in to force in 2020. 

What Are the Implications for the Healthcare Industry?

The introduction under GDPR of mandatory privacy notices – that must include information such as processing purpose, whom the personal data will be shared with, data retention, data processing location, individuals’ rights and most importantly how to exercise those – can only help us to gain more trust from the public.

We know from Ipsos’ Global Citizens and Data Privacy research that only 1 in 3 adults globally have a good idea of what data companies hold about them and what they do with it. Moreover, only four in ten (41%) believe that companies have become more transparent about how they use consumers’ data.  

Clearly, transparency is critical. Although at the beginning we may have been tempted to see GDPR as a disruption or even a burden, we as an industry need to recognize that by complying with GDPR we finally have the tools to offer individuals that transparency around personal data they consider so paramount. In our view, GDPR was not introduced a moment too soon. As we move in exciting new directions, we can’t forget the importance of keeping control of patient data safely in the hands of the patient.