What is GDPR?
The main thinking behind the General Data Protection Regulation (GDPR) is to bring data protection legislation up to speed with new ways of using personal data. It’s important to note that the UK will still be bound by this EU regulation even after Brexit, so it’s essential that all business in the digital sphere are aware of it and act accordingly. Essentially, the new regulation makes data protection rules largely the same throughout all EU countries and gives the public much more say over how their personal data is stored and what it can be used for. It is hoped to not only tighten up security and accountability for the data but also to build trust between the public at large and modern, technologically advanced organisations.
At present, the UK bases all its data protection legislation around the Data Protection Act 1998, however, when the new GDPR rules come in to for on 25th May 2018, this Act will no longer apply. Non-compliance holds fierce financial penalties, so it’s vital that companies have everything considered and implemented long before the deadline. Indeed, in this high speed, data-obsessed world we now live in, pretty much every company and small business in the UK will be affected by this in one way or another.
So who does the GDPR apply to?
Almost every company and organisation you can think of – that’s why it’s such an active topic. In essence, anyone who ‘processes’ or ‘controls’ data needs to take heed and act in accordance with the GDPR rules. For reference, a data controller decides how and why personal data is processed, while a processor is a party doing the actual processing of it. Even if controllers and processors are in countries outside of the EU, the GDPR will still apply to them all the time the data they’re handing belongs to EU residents.
So where does digital health fit into all this?
There is no doubt that the new GDPR regulations will have a far-reaching effect on all sorts of areas of digital health, across websites, apps and programs in particular.
One of the hottest items out there in the digital health world at the moment is the FitBit. The whole point of FitBit is it helps the user to lose weight by keeping track of what they eat and how much exercise they do each day. Food, activities and weight are logged over time, whilst calorie intake and burn off are accurately measured when app users keep their tracker on. However, the app can also be used as a simple lifestyle app without wearing the tracker.
Since the company’s stock began trading in June 2015, FitBit trackers can be synced to smart devices via Bluetooth or uploaded to a device using the Bluetooth USB dongle. There is also a social element to it where users in the ‘community’ can challenge themselves and compete against other people.
FitBits and other similar style products such as digital health apps are popular and widely used in fitness classes and weight loss groups. They are also sometimes incorporated into workplace wellness programs, with the thinking that colleagues can egg each other on and share their achievements. However, this is rub; after May 2018, these much stricter rules around the collection and sharing of such data will come in to force. Furthermore, it dictates that anyone wishing to have their profile or data wiped if it is not being used for the original purpose should be able to have that request fulfilled. This is known as the 'right to be forgotten' meaning that data should also be erased if a user has withdrawn their consent for their data to be collected, or objects to the way it is handled. In the case of a workplace giving out health trackers such as FitBit devices, it must be also be proven that the use of them is voluntary by the employee and that they weren’t forced into it.
To sum up, the GDPR rules are very specific about health data use and as we can see, the GDPR affects a broad spectrum of data within the health category. Digital health companies investing in such fitness tracker apps and technologies will likely need to heavily invest heavily in their infrastructure, policies and protocols going forward to stay on the right side of the rules. GDPR itself does not penalise an organisation for collecting data, but how it’s collected, stored and used which will be subject to much tighter scrutiny.