The General Data Protection Regulation is a major cause for concern among professionals from various areas. Health and nutrition professionals are no exception. But worry not, the first step towards GDPR compliance is to be aware that there are new rules on data protection and to make sure that you and your organization, if any, are aware of the main obligations. If you are reading this text, then, at the very minimum, you have just taken that first step.
In this article, we’ll be addressing some of the implications of the General Data Protection Regulation (hereinafter, GDPR or simply Regulation) for nutrition professionals. To learn more about GDPR and the steps that Nutrium is taking towards compliance, please read our previous article here.
We also recommend that you consult the Regulation and the website of your country’s supervisory authority where you will most likely find complete documentation about the subject.
The parties in play
It wouldn’t be possible to properly explain the GDPR without first clarifying some fundamental concepts about the parties involved. The relations in the Regulation are roughly defined as follows: the data subject (your patient) makes their personal data available to the controller (you, the nutrition professional) who is responsible for processing the data as imposed by the Regulation.
On certain occasions, the controller may engage a third party to carry out part of such processing operations on his behalf. These third parties, in the GDPR nomenclature, are referred to as processors. Such is the case with our Company. Healthium is, most of all, a processor of the nutrition professional and can itself contract the processing of the data with other processors. As controller you should always make sure your processors are GDPR compliant.
Lawfulness of processing
As controller, and in order to avoid legal complications and penalties, you must ensure that all processing of your patients' personal data is lawful, in other words, you must have, at least, some kind of legal ground for the processing to legally take place. Article 6 of the GDPR provides six “lawful basis” for the processing of data. Let's look at three of them:
Consent: you can choose to process personal data under the patient’s consent. Where the data subject has given his explicit and informed consent the processing shall be lawful. For instance, you should use consent whenever you want to use your patient's data for marketing purposes. Nothing stops you from conducting your appointments on the basis of consent, but keep in mind that in these situations the patient may withdraw consent at any time preventing you from continuing to process their data. Also, you must have the organizational means to prove such consent and to give the data subject an easy way to withdrawal it.
For contractual purposes: it is lawful to process personal data whenever it is necessary for the proper performance of the contract. For example, in order for you to validly celebrate an employment contract with a secretary it would be lawful to collect all personal data necessary to identify the parties and process wages. Data such as the full name, address or bank account number, for instance.
Legitimate interests: where processing is necessary to fulfil legitimate interests pursued by the controller or by third parties. For example, the nutrition professional has a legitimate interest in collecting data regarding the health of their patient since it is this data which will allow them to carry out the appointment successfully.
Ultimately, it is up to you to choose and analyse the “lawful basis” to which you want to be or will be subjected. But keep in mind that some “lawful basis” may pose as more appropriate than others, depending on the processing in question.
For instance, using "legitimate interests" as the lawful basis for the processing of data may seem the easiest way to go, but it will, however, require a "Legitimate Interests Assessment" so that the data subject may know what those interests are.
On the other hand, "consent" gives the data subject almost absolute control over their data and takes it from you. This method is considered to be more transparent, but may not be practical to implement, as it will require both the maintenance of an organised register of such consents and the capacity to ensure its associated rights.
As we have seen, apart from being your patients they are also data subjects. As such, the GDPR establishes a set of rights with which you will have to comply. Please notice that some of these rights are directly connected to the lawful basis you choose so some of them may not be applicable.
Over the next few lines, we will try to explain some of those rights and briefly demonstrate how you can comply with them:
Right to be informed: where personal data is collected from patients, all the information contained in Article 13 of the Regulation must be provided in a clear, concise and transparent way. This is a very extensive set of information that should, ideally, be compiled into a document and made available to the customer. There are several ways you could do this: by communicating this information orally to the patient; delivering the document printed at the time of the appointment; dedicating a page on your website to the topic and inviting the patient to read it; among other ways.
Right of access: a patient has the right to know if their personal data is being processed and if so, they have the right to access it. In these situations, the nutrition professional must provide the patient with all the details about the personal data being processed while also making available all the information contained in Article 15. Where the data subject makes the request by electronic means this information should be handed to the patient in a commonly used electronic form, like pdf, unless otherwise requested by them.
Right of rectification and erasure: when faced with inaccurate or incomplete information, the patient has the right to obtain from the nutrition professional, without undue delay, the rectification of their data. In the same way, they may require from the professional the deletion of their data, without undue delay, being certain that it is the professional task, in a first moment, to analyse the pertinence of this request, pursuant to Article 17.
Right to data portability: where the processing is based on consent or a contract and is carried out by automatic means, the nutrition professional shall, at the request of the data subject, provide them with all information in a structured, commonly used and machine-readable format, such as, for example, a pdf document, Word or even Excel.
Right to object and right to restriction of processing: the right to object applies, in particular, to situations in which the lawful basis of the treatment are “legitimate interests” of the nutrition professional. In those instances, since there is no previous request for consent, the regulator made it possible to the data subject to oppose to processing. The right to restriction, in turn, is mainly intended for situations where the immediate erasure of personal data is not desired and as such the data subject only requires the restriction of the data processing.
Records of processing activities
If we could choose two words that somehow defined the GDPR they would probably be method and organization. And that’s the case of the next obligation: nutrition clinics and professionals are, as a rule, required to maintain a record of all processing activities kept under their responsibility.
You should, therefore, compile, in a written format and in an electronic file (an Excel sheet, for example) all categories of data subjects and the personal data you process describing them and associating them with the purposes for which they are intended. And please be aware that this mapping may also cover the data of your employees, for instance.
You should also make clear which processors you engage and make available their name and contact as well as the contacts of your Data Protection Officer and your representative, where applicable. Please consult the full list of required information in Article 30 of the Regulation.
We would like to stress that this is a document of great importance since it should be made available to the supervisory authority whenever required. It should not be confused with other documents such as Privacy Policies and Privacy Notices whose vocation is mainly public and aimed at informing the data subjects.
Security and data protection
One of the biggest concerns of the Regulation is to ensure that the processing of personal data is done as safely as possible. As such, nutrition professionals are required to implement in their practices all the necessary security measures to protect the personal data of their patients.
Such measures could translate in the choosing of GDPR compliant cloud providers; encryption of electronic devices containing personal data, like computers; periodical renewal of your passwords; and so on.
However, the digital context isn’t the only area to be taken into account by the Regulation, precautions should also be taken regarding the physical space of your practice.
Cabinets with patients' files should be locked and access to such files should be restricted to those groups of people who strictly need to access them. In addition, all paper documents, especially those containing sensitive data, should be properly disposed of, namely through paper shredders.
Lastly, you should be prepared for the possibility of a data breach. In such cases, when all security measures fail, and it is found that the data breach has put in risk the rights and freedoms of natural persons, in particular through loss or theft, you have the obligation to notify your country’s supervisory authority and the affected data subjects, without undue delay.
These are only some of the measures that you will have to start adopting and they will require careful planning and some study of the Regulation. At Nutrium we will always be available to assist you in any way we can, and we are implementing all the necessary features so that you can respond to your patients requests as efficiently as possible. We hope this brief guide has been helpful.
One last remark just to mention that this article was written taking into account a worldwide audience of nutrition professionals. Although it might be a good starting point, this article is not exhaustive due to the restrains that blog posts imply.
The information we provide here needs to be implemented from country to country and adapted from professional to professional. We encourage you to consult with your lawyer in advance or with your supervisory authority or local associations.