GDPR in health care

Team Zorg Enablers
Published on
Implementations | Control & Monitoring


The General Data Protection Regulation (GDPR) of the European Union took effect in 2016, with enforcement beginning in May 2018 [1]. The purpose of the GDPR legislation was to harmonise the European regulatory framework governing data privacy and to strengthen the prevention of data leaks [2]. Organisations not complying with GDPR stipulations are subject to hefty financial penalties. GDPR implementation has prompted changes within many organisations, including health care facilities, where the greatest part of the staff work with patient data. In particular the research divisions of health care institutions have been forced to modify their working procedures [3,4]. One of the key consequences of the GDPR is that explicit permission must be requested from all persons in the EU whose data is stored and processed [5]. The regulation also sets out the right to be forgotten, whereby individuals are entitled to erasure of their personal data upon request. Health care professionals fear that this provision could lead to problems, because the absence of important previous diagnostic information could complicate future health care treatment [6,7].

At the current writing, GDPR enforcement has been in place for three quarters of a year, and the initial effects in the health care sector are emerging. First of all, a study in October 2018 revealed that nearly one third of organisations were still not fully compliant with the legislation [8]. The advent of the GDPR has also triggered an upsurge in the number of reported data leaks, although this probably reflects a jump in reporting rather than an absolute increase in actual leaks [9]. Notwithstanding anecdotal evidence of time-consuming bureaucratic predicaments arising from the GDPR, the actual impact of these on the health care sector as a whole cannot yet be determined [10,11]. A frequently reported complaint, by GPs in particular, involves bureaucratic red tape arising from their inability to access information from pharmacists or medical specialists without explicit permission from each patient. In other sectors, organisations have shown their ‘unease’ with the regulations by requesting permission for everything, such as for including children on school phone lists [12,13]. Advertising agencies, publishers and public-sector agencies such as tax authorities are also reportedly not yet GDPR-compliant [13]. However, other organisations in a wide array of sectors such as finance and technology are arguing that the European regulations are now viewed as the gold standard for privacy legislation worldwide, thus giving European firms a competitive advantage over non-European ones [9].

The rollout and enforcement of the GDPR has set many changes in motion in the health care sector. The privacy legislation presents an opportunity to adopt new approaches. It gives cause for ethical reflection on the collection and use of medical data. The GDPR supplies an additional instrument for safeguarding the privacy of consumers and health care patients, over and above the already existent legal frameworks. In its initial year, the anticipated growing pains have been experienced. Considerable time and money has been spent on adapting procedures, wading through red tape and resolving confusion about the exact rules. Developments in smart analytics raise further questions about security in issues such as the anonymity of personal data in scientific research. At the same time, the GDPR is finding echoes worldwide, and the United States is now working to develop comparable regulations [14,15].

In a digitising health care landscape – where consumers, patients and health care staff have increasing amounts of medical and other data at their disposal – a new chapter is now being opened with respect to privacy and data security. The arrival of the GDPR has done much to sharpen the societal focus on cyber security and data protection.


  1. European Commission. 2018 reform of EU data protection rules | European Commission. May 2018
  2. Bower, E. How does the General Data Protection Regulation (GDPR) affect GPs? April 2018
  3. Globaldata. General Data Protection Regulation (GDPR) in the Healthcare Industry 2018 Available from:–general-data-protection-regulation-gdpr-in-the-healthcare-industry-implications-for-healthcare-h1-2018/. Retrieved 18-12-19
  4. Rumbold JMM, Pierscionek B. The Effect of the General Data Protection Regulation on Medical Research. February 2017
  5. Davis J. Europe’s GDPR privacy law is coming: Here’s what US health orgs need to know. May 2018
  6. Finnegan G. New EU rules aim to boost protection of patient data. But is healthcare ready? | Science|Business 2018 Available from: Retrieved on 19-01-19
  7. Howell D. Five ways the GDPR will change healthcare. March 2018
  8. Businesswire. Imperva Survey Reveals Nearly Onethird of Organizations Still Not Completely Prepared for GDPR. August 2018
  9. Warren M. Still standing, six months after GDPR. December 2018
  10. Timmerman, J. Fijn, die AVG. December 2018
  11. Gimbel H. Absurde gevolgen privacyregels AVG in de zorg | Onnodige schadelijke rompslomp belemmert medisch handelen | Netkwesties 2018 [Available from:] Retrieved 11-11-2018
  12. Emerce. 600 klachten bij Autoriteit Persoonsgegevens sinds AVG. June 2018
  13. Libbenga J. Het Jaar van de AVG. December 2018
  14. Guida R. Is the US Version of GDPR on the Horizon? October 2018
  15. Patrizio A. While no one was looking, California passed its own GDPR | Network World. July 2018