Experts say that the different interpretations of the EU General Data Protection Regulation (GDPR) is causing a slowdown in innovations. A GPonline report by general practitioner Pablo Martin revealed that regulations surrounding information collection, sharing and storage can be understood differently. This is expected to risk the development of new technologies, especially in clinical commissioning groups (CCGs).
The GDPR is touted as the “most important change in data privacy regulation in 20 years.” It widened the territorial scope of the regulations pertaining to info privacy. This makes it applicable to companies outside Europe as long as they deal with info of subjects residing in the EU. It also set penalties, defined consent related to patient information and outlined the rights of subjects.
Martin remarked that the GDPR, which took effect in May 2018, affects the creation of new clinical data processing methods. He cited two segments of the GDPR that causes confusion.
He explained that Article 5.1 of the GDPR says that info must be “processed in a manner that ensured appropriate security of the personal data” with the use of “appropriate technical or organizational measures.” Security includes “protection against unauthorised or unlawful processing.” This also covers “accidental loss, destruction or damage.”
The GP noted that this portion of the regulation does not state “specific details preventing the use of personal devices.”
Meanwhile, Article 7.1 notes that processing based on consent requires “controllers [to] demonstrate that the data subject has consented to the processing” of his or her personal info. Like in the first example, this part does not specify the need for written consent.
Martin said that confusion arises when an organization covered by a specific CCG creates customized ways to process, store and share information. According to him, the organization will not be able to defend itself if its CCG decides to advise against the particular method the organization used despite complying with the provisions in the GDPR.
In addressing this issue, the GP said that flexible and open discussions are needed when tackling the development of new methods to process data. With the vagueness of some parts of the regulation, Martin said that authorities such as CCGs should be open to variations in implementing solutions that still comply with the GDPR.
The GP said that both patients and medical professionals will be able to benefit from such openness and flexibility.