Processing sensitive data like healthcare is risky. In the case of violations of rules, Data Controllers can incur civil, administrative, and, in some states, even criminal sanctions. Depending on how Apps and services are distributed, Data Controllers can be represented by different figures. For example, in the case of mHealth Apps distributed on Marketplaces, the Controller is often the CEO of the company that distributes the app.
GDPR fines
The current EU Data Protection Directive (Dir. 95/46/EC) defines only generic obligations and does not identify sanctions in case of violations. Such an approach leaves to the Member States the decision to implement the law and define sanctions (administrative, criminal, civil) to be imposed in case of violations.
In Italy for example, in case of violations (e.g. accidental destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed in connection with the provision a service available to the public) Data Controllers may incur an administrative penalty imposed by the Data Protection Authority or a judge, and will have to compensate the damaged party if they can't prove that they have taken all the necessary measures to prevent it. However, even in the case of accidental violations, authorities can decide to impose sanctions based on the level of damage that has been made.
In the event of a security breach, currently, there are no obligations of notifications to the users.
In the event of unlawful data processing, the Authorities can impose administrative penalties that can reach up to 2% of the company's world annual turnover.
How GDPR fines are calculated
The amount of the penalty is calculated based on the following criteria:
- Nature, severity, and duration of the infringement.
- Intentionality or not of the violation.
- Degree of responsibility of the Data Controller and sanctions and that he has received in the past.
- The technical and organizational security measures.
- Degree of cooperation with the Authority to remedy the violation.
The penalties may go up to € 500,000 or 1% of the gross annual turnover and will be applied to those who hold one of the following conduct:
Do not provide access to or the possibility of correcting information from Data Subjects, or do not provide the requested information in a complete and transparent manner.
Do not respect the "right to be forgotten" or cancellation, do not provide mechanisms for compliance with the terms regarding the response to Subjects' requests, or not defines clearly the co-responsibility with third parties for the data processing and sharing;
Do not maintain appropriate documentation.
Do not provide a copy of the data in an electronic form or in a form that is impossible to transfer to third parties.
Do not comply with the rules on freedom of expression or processing data in employment relations or conditions to treat with historical, statistical and research.
Those who instead commit any of the following violations may be sanctioned up to € 1 million or 2% of the annual turnover worldwide:
Acquisition of personal data without a proper legal basis or without consent;
Treatment of special categories of data (for example, health data or regarding the submission of the individual to convictions) in violation of the rules governing that particular type of treatment;
Violations of policies related to profiling;
do not adopt policies for the internal management of data or identification of a person liable for treatment;
To process data in ways obviously not appropriate;
failure to timely notify to the supervisory authority and to the Data Subjects of a data breach;
Unlawful use of a seal related to data protection;
Transfer of data to third countries or organizations in the absence of adequate decision and guarantees;
Not obeying to a prohibition from an authority;
Not obeying to rules on professional secrecy.
A novelty of the Regulations that is creating a big debate is the notification in case of the data breach to National Authorities without delays. The responsible data controller or processor must communicate the nature of the breach, the consequences of the breach, and the measures proposed and taken to stem the damage. Controllers and Processors shall also notify the Data Subject even only if the breach is likely to cause damage to his private life or there is a risk of violating his data.
Policy enforcement in Italy in 2014
Inspections of national Data Protection authorities are usually scheduled on a six-month basis. It aims to identify the data processing to be ascertained, and this activity is added to control initiated by reports and complaints received by associations, organizations, and individual citizens. In 2014, the authorities announced that the administrative penalties totaled 577. The main complaints were caused by non-collecting appropriate consents, illegal data processing, and missed communications of data breaches to the authorities and users.
If the new GPDR was in force, the investigated parties would be responsible, especially for the most serious violations.
Among all violations, 39 were sent to the judicial authorities for criminal behaviour. These data show that Data Controllers and Processors have not yet understood the fundamental principles of data protection, or are unable or do not know how to implement administrative and technical required measures.
However, according to several studies published recently, Italians seem enthusiastic about mHealth (78.6% had positive comments about it). If the approval of the "system" is so high, with increasing the number of users, we will have an increased risk of unlucky events such as the one that occurred in Bologna, where it was found that one million electronic health records had been created without the informed consent of the patients. In that case, the Hospital S. Orsola Malpighi received an administrative penalty. In the case of the hospital in Martina Franca (BR), a fine of 30.000 Euro was imposed for violations, which appears to be the highest fine for a health institution in Italy.
Given the increase in sanctions foreseen in the proposed Regulation, anyone processing personal data automatically should equip themselves with systems of policy and security to limit the risk of intrusion and data theft.
According to the latest reports, attacks on health information systems have become one of the top five biggest risks for companies (especially smaller ones).
This news should raise awareness among data controllers and processors about data security within their information systems.
