General Data Protection Regulation, or GDPR, focuses on the protection of personal data – that is any information that relates to an identified or identifiable natural person. This includes a user’s name, addresses, physical or genetic information, IP addresses, location data, and more. GDPR provides a consistent standard of privacy and data protection that is mandatory across the European Union beginning on May 25, 2018.
The regulation brings a necessary breath of fresh air to transparency, security and consent. The following are a few key areas of change, affecting companies that collect, use and store user data.
How data is collected, used and stored
According to GDPR, users of a system should have the ability to clearly understand how their data has been collected. Data should be collected based on active consent. They should also understand how the system will use their information. Will the system share it with others? Individually or in aggregate? Is the system passively collecting any other information about them? And finally, users should understand how their data is stored. Most importantly, all of this information should be provided to users in language they can understand; striving for a 6th grade reading level is a great idea.
How a user is notified of a data breach
Breach notification is mandatory under GDPR and must be done within 72 hours of first having become aware of a breach.
How a user can request to see his or her data
As part of GDPR, users have the right to request to see the data the system has collected on them. New workflows are required for most systems here to allow users to make such request and to (hopefully automatically) receive the information the system is storing about them.
How a user can enact the right to be forgotten
GDPR comes with the Right to be Forgotten, a benefit that allows users to request a complete and permanent removal from the system. This is levels above an unsubscribe or opt-out feature. The Right to be Forgotten means than all data ever collected or stored about this user will now be permanently deleted from the system. New workflows are also required here for most systems to first allow the request and then complete it in the system.
At Seeker Health, we collect users’ data, voluntarily provided by the user, to assign them to a clinical trial site who will screen them for enrollment. Since our start in 2015, we’ve always done our work based on active consent, meaning that the user must first actively opt-in to provide their information. We operate the Seeker Portal, a patent-pending, secure, encrypted software that evaluates users’ submissions and assigns users to clinical trial sites. We operate across the globe, and primarily in the US and Europe.
As GDPR comes into effect in the European Union, we are applying the principles GDPR to all the work that we do, regardless of location. Why?
- We believe that protecting the privacy of users is essential to the work we do
- We believe that protecting the privacy of users is ethical
- We believe that obtaining active consent from a user is the best way to operate our system
- We believe that users have the right to see the information the system has collected on them
- We believe that users have the right to ask to be fully deleted from the system
- We believe the United States and Canada will promptly catch up with similar regulation
At Seeker Health, we care deeply about patient and user privacy. We are GDPR compliant and we hold ourselves to these standards even in countries where this is not yet the legal standard.
EU GDPR: https://www.eugdpr.org/
Facebook advertising GDPR: https://www.facebook.com/business/gdpr