Why data sharing matters under GDPR - accountability and fines
If you share data with a third party, you can still be held accountable and fined. What can you do to minimise the risks?
GDPR places a heavy emphasis on accountability - the reality is that we all have a duty to ensure that data protection isn’t just a box-ticking exercise, but a core part of our operations. This responsibility extends not only to your company but also to any third parties you share data with.
We saw this last month, when the ICO imposed a £6.09M fine on OneAdvanced having found that they “failed to implement measures to protect personal information“ after they fell victim of a cyber attack impacting the #NHS in 2022.
Data sharing in health
The principle of accountability is particularly important in healthcare given the sensitive nature of the data involved and means that digital health companies must not only implement robust security measures but also ensure that any third parties they collaborate with are held to the same high standards.
The data breach impacting Scottish NHS staff announced in late August stemmed from a (yet to be named) third party supplier / software company to the NHS. We have yet to see what the fallout will be.
How to share data safely under GDPR
The ICO’s Accountability Framework outlines several key measures that digital health companies should adopt when it comes to contracts and data sharing. Here are some ways to meet expectations under GDPR:
1. Due Diligence on Third Parties
When sharing personal data with third parties, such as service providers or vendors, conducting thorough due diligence is essential. This ensures that the third parties have adequate security measures and data protection practices in place. Here are some considerations:
- Vendor assessment: Before entering into a data-sharing arrangement, assess the third party’s compliance with data protection regulations, such as GDPR. Look at their policies, certifications (e.g., ISO 27001), security measures, and their history of data breaches, if any.
- Data Protection Officer (DPO) consultation: Engage your DPO or legal team to verify that any potential third-party partner follows best practices for data protection and maintains an adequate legal basis for processing data.
2. Data Sharing Policies and Procedures
Before engaging in new data processing activities or high-risk data sharing, organisations must perform Data Protection Impact Assessments (DPIAs). This helps identify, assess, and mitigate any risks to personal data privacy.
- DPIAs: Conducting a DPIA is a GDPR requirement for processing that is likely to result in a high risk to individuals' rights and freedoms. These assessments evaluate how data is processed, who has access, and the potential impact of a data breach.
- Transparent policies: Establish clear, well-documented data-sharing procedures and policies within the organisation. These policies should outline when data can be shared, with whom, and the security measures required.
- Risk management: For high-risk processing activities (e.g., large-scale data processing, sensitive health data), put in place robust measures to mitigate risks, such as encryption, anonymisation, and access controls.
3. Clear Contractual Obligations
Contracts with third-party processors must include clear data protection obligations to ensure accountability and compliance. This involves setting out specific terms related to the handling, processing, and security of personal data.
- Data Processing Agreements (DPAs): Under GDPR, a comprehensive DPA should be in place for all processors. This agreement must include details such as the nature and purpose of the processing, the types of personal data involved, and the processor’s obligations to keep data secure, report breaches, and return or delete data at the end of the contract.
- Processor responsibilities: The contract should explicitly outline the roles and responsibilities of the data processor, including their obligation to act only on the data controller’s instructions, protect personal data, and allow for audits.
- Sub-processors: If the processor intends to engage sub-processors, this must be communicated to and approved by the controller. The sub-processors must also be bound by the same obligations.
4. Regular Audits
Regular audits are essential for maintaining compliance with data protection laws and ensuring that third parties are fulfilling their contractual obligations with respect to data processing.
- Internal audits: Organisations should periodically review their data-sharing agreements and ensure that third parties are complying with the data protection terms set out in contracts.
- External audits: When dealing with vendors and third-party processors, external audits may be required. These can include reviewing security certifications, conducting penetration testing, and inspecting reports on data breaches or incidents.
- Monitoring and reporting: Ensure that there is a mechanism in place to identify and report non-compliance. A system for logging, tracking, and resolving issues should also be part of the audit process.
5. Data Minimization & Purpose Limitation
Under the principle of data minimisation, companies must ensure they collect and share only the data necessary for a specific purpose. This limits the risk exposure in case of a data breach or misuse.
- Purpose limitation: When sharing data, clearly define the specific purpose for which the data will be used. The GDPR mandates that personal data should only be processed for legitimate purposes, and once the purpose is fulfilled, the data should either be deleted or anonymized.
- Minimization strategies: When possible, share aggregated or anonymized data rather than individual-level data. Limit the scope and volume of personal data being shared, and avoid sharing sensitive data unless absolutely necessary.
- Data retention policies: Implement strict data retention and disposal policies that ensure personal data is not kept longer than necessary. This includes ensuring that third parties do not retain data for longer than specified in the contract.
Integrating these measures into your data sharing practices might seem daunting! But it’s essentials not only comply with the law but also build trust with your customers and partners, protecting both their data, and your company’s reputation.
How Assuric can help
Assuric is a platform built from the ground up for digital health companies to manage compliance against GDPR and achieve the highest standards of data protection, including:
- Conducting third party due diligence
- Completing Data Protection Impact Assessments (DPIAs)
- Producing and reviewing data sharing agreements including Data Proccessing Agreements (DPAs)
- Creating a robust data protection strategy to meet the ICO's expectations for purpose limitation, retention and minimisation.
If you have questions on your current practice or how you can improve then get in touch!
Companies of sizes use Assuric to deploy impactful health technology into the NHS and further afield.