Data Storage and The General Data Protection Regulation (GDPR)

Clinical Data Storage
Posted in Clinical Data Storage, GDPR

When it comes to storing data, there is a familiar unfamiliarity to it. Everybody needs to store data but no one truly understands where it is being stored or what the stored data is being used for. In the healthcare industry, one of the most important data topics is Clinical Data Storage. Clinical data is growing exponentially and how this data is stored, accessed, and distributed is a big topic that should be discussed. There are lots of changes going on regarding the regulation of data and how companies access user data. There has been a  new law called the General Data Protection Regulation or GDPR that has been implemented on May 25th. Let’s talk about what it entails and what it means for companies.

For example, there are big companies like Google and Facebook that have access to arguably the most amount of consumer data. These companies have pretty much had access to their consumer’s data and been able to use it to do whatever they want to such as to target ads, sell to other companies or create behavioral patterns.

The General Data Protection Regulation or GDPR now implemented, restricts how companies use this data and how much of a consumer’s personal data a company can have access to. Basically, the law focuses on ensuring that users know, understand and give consent to the data being collected from them and what that data might be used for. It states that companies must be concise and clear about their collection and use of personal data such as full name, home address, location data, IP address, or the identifier that tracks web and app use on smartphones.

Companies have to spell out why the data is being collected and whether it will be used to create profiles of people’s actions and habits. Moreover, consumers will gain the right to access data companies store about them, the right to correct inaccurate information, and the right to limit the use of decisions made by algorithms, among others.

The law protects individuals in the 28 member countries of the European Union, even if the data is processed elsewhere. That means GDPR will apply to companies all over the world so long as they have customers in Europe.

For example, the law says that on its website that a social network will have to comply with a user request to delete photos the user posted as a minor — and inform search engines and other websites that used the photos that the images should be removed. The commission also says a car-sharing service may request a user’s name, address, credit card number, and potentially whether the person has a disability, but can’t require a user to share their race. (Under GDPR, stricter conditions apply to collecting “sensitive data,” such as race, religion, political affiliation, and sexual orientation.)

In the past, companies have been able to monetize consumer data and use it however they want and consumers have had to go through the burden of opting-out but this law now states that consumers should have the freedom to opt-i instead of going through the burden of opting out. The General Data Protection Regulation (GDPR) hopes to change the terms of agreement culture where consumers just mindlessly click “I agree” and make it a more conscious decision.

Penalties for Violating The General Data Protection Regulation (GDPR)

Companies that violate the GDPR could face fines of up to 4 percent of annual global revenue. For Facebook, that would be $1.6 billion; for Google, $4.4 billion. Most of the data rights enshrined under GDPR were already established in the EU but went unenforced. GDPR standardizes data rights across all EU countries, empowering regulators with the same big stick and sharper teeth.

Criticism and Pushback of The General Data Protection Regulation (GDPR)

The GDPR law has had its share of pushback, naysayers, detractors, who dismiss GDPR as more protectionism from the EU, which has challenged American tech platforms on antitrust and privacy grounds with expensive consequences. Then there are concerns about cost. Colclasure from Acxiom calls the data industry the backbone of “free content and free knowledge” online. “It’s either hit a paywall or these sites are ad-supported for the most part,” she says. There are potential loopholes in the law. It allows businesses to process personal data without consent for limited reasons, including a business’s “legitimate interests,” which the European Commission says includes “direct marketing,” through the mail, email, or online ads.

However, even then companies must take into account a consumer’s expectation of how their data will be used and can’t infringe on the other consumer rights guaranteed under GDPR. In the digital realm, EU consumers also have the added protection of a companion set of rules, called the ePrivacy Directive, that govern electronic communication. Under those rules, which are in the process of being ratified into law, consent is the only legal basis for collecting personal data.

The summary of this all is that the government is pretty much trying to put in some regulation in the digital and data have driven private sector that is growing rapidly. These regulations are supposed to help the consumer and users and protect the general population against big companies whose only aim is making a profit and increasing value for the shareholders. However, there is a reason to give a little attention to the critics of these laws even if for the sake of having a discussion. What works is having a healthy balance between a free market and government regulations that have the protection of the people as a priority.