On April 14, 2016, the European Union formally adopted a new scheme – known as the EU General Data Protection Regulation (GDPR) – to protect the personal data of European residents. The GDPR will enter into force in May 2018, replacing the EU Data Protection Directive 95/46/EC. The GDPR is significantly more onerous than the Directive, seeking to enhance data privacy protections for Europeans. US health care organizations processing Europeans’ personal data should start preparing now for compliance.
US health care companies who may come into contact with personal data belonging to EU data subjects should carefully consider whether they will be subject to the GDPR. Unlike the Directive, the GDPR will also apply to organizations outside the EU where the organizations’ personal data processing activities relate to goods and services offered to individuals in the EU or to the monitoring of such individuals’ behavior. This will mean that US health care companies marketing health care goods and services to European residents may be subject to the GDPR.
Arent Fox partner Sarah Bruno and associate Eva Pulliam recently published an alert explaining what businesses need to know about the GDPR. And on March 14, 2016, the UK Information Commissioner’s Office issued useful guidance on steps organizations can take to prepare for the GDPR. These resources can help all companies – including health care companies – in determining what level of exposure they have under the GDPR and what measures they should take for compliance.
Arent Fox’s Health Care group and Cybersecurity & Data Protection group will continue to monitor the GDPR and its potential impact on the health care industry. If you have any questions or need assistance on the topic covered here, please contact Sarah Bruno or Jade Kelly in our San Francisco office, Tom Jeffry in our Los Angeles office, Bill Tanenbaum in our New York office, Sam Cohen in our Washington, DC office, or the Arent Fox professional who normally handles your matters.